Multiple vulnerabilities in Jenkins Script Security plugin
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2024-34144 CVE-2024-34145 |
| CWE-ID | CWE-254 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
Script Security Web applications / Modules and components for CMS |
| Vendor | Jenkins |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Security features bypass
EUVDB-ID: #VU89153
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34144
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the sandbox bypass issue involving crafted constructor bodies. A remote user can define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsScript Security: 1335.vf07d9ce377a_e
External linkshttp://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
http://www.openwall.com/lists/oss-security/2024/05/02/3
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security features bypass
EUVDB-ID: #VU89154
Risk: Medium
CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2024-34145
CWE-ID:
CWE-254 - Security Features
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the sandbox bypass issue involving sandbox-defined classes that shadow specific non-sandbox-defined classes. A remote user can define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsScript Security: 1335.vf07d9ce377a_e
External linkshttp://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
http://www.openwall.com/lists/oss-security/2024/05/02/3
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
