SB2024050613 - Multiple vulnerabilities in Jenkins Script Security plugin

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Security features bypass (CVE-ID: CVE-2024-34144)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the sandbox bypass issue involving crafted constructor bodies. A remote user can define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code on the system.

2) Security features bypass (CVE-ID: CVE-2024-34145)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the sandbox bypass issue involving sandbox-defined classes that shadow specific non-sandbox-defined classes. A remote user can define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code on the system.

Remediation

Install update from vendor's website.

References

• https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
• http://www.openwall.com/lists/oss-security/2024/05/02/3