Jenkins Script Security Plugin 1.64 Improper Control of Generation of Code Vulnerability

Summary

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts.

Credit:

The information has been provided by Vendor

The original article can be found at:

https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1579

 


Details

Sandbox protection in Script Security Plugin could be circumvented through default parameter expressions in constructors.

This allowed attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins master JVM.

These expressions are now subject to sandbox protection.

Vulnerable Systems:

Jenkins Script Security Plugin 1.64 and earlier

CVE Information:

CVE-2019-10431

Disclosure Timeline:
Published Date:10/09/2019