Digital.ai Release Vulnerabilities

CVE-2023-24422

Sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code

Description

This vulnerability is specific to execution within Jenkins. In Release, the Groovy sandbox restricts class access on top of the sandbox provided by the Java Security Manager. Any implicit casts inside map constructors that could access restricted files or data are rejected by the Java Security Manager.

Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release.

Affected Versions
23.1.x, 23.3.x, 24.1.x

Reference

https://nvd.nist.gov/vuln/detail/CVE-2023-24422

CVE-2022-46337

LDAP injection vulnerability in Apache Derby's authenticator

Description
Apache Derby versions up to 10.16.1.1 are vulnerable to an LDAP injection attack if Derby is configured to use LDAP for user authentication. An attacker can exploit this vulnerability by crafting a specially crafted username to bypass LDAP authentication checks.

Impact On Release
This vulnerability does not affect Release unless you use a Derby database to authenticate users against an LDAP directory service within your organization. Derby is included with Release as an embedded default database, but it should only be used for demonstration or testing purposes.

Derby is not recommended for production use. Refer to supported-databases to view the list of supported databases.

Affected Versions
24.1.x, 23.3.x, 23.1.x

Reference
https://nvd.nist.gov/vuln/detail/CVE-2022-46337

CVE-2022-45379

Jenkins Script Security Plugin stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks

Description

This vulnerability is specific to execution within Jenkins. In Release, the Groovy sandbox restricts class access on top of the sandbox provided by the Java Security Manager. The whole-script approvals feature is not present in the version of the security sandbox employed by Release.

Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release.

Affected Versions
23.1.x, 23.3.x, 24.1.x

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-45379

CVE-2022-43404

Sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection

Description

This vulnerability is specific to execution within Jenkins. In Release, the Groovy sandbox restricts class access on top of the sandbox provided by the Java Security Manager. Subclassing classes using generated synthetic constructors is not possible due to the already restricted class access.

Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release.

Affected Versions
23.1.x, 23.3.x, 24.1.x

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-43404

CVE-2022-43403

Sandbox bypass vulnerability involving casting an array-like value to an array type can allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection

Description

These vulnerabilities are specific to execution within Jenkins. In Release, the Groovy sandbox restricts class access on top of the sandbox provided by the Java Security Manager. Any implicit casts that could access restricted files or data are rejected by the Java Security Manager.

Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release.

Affected Versions
23.1.x, 23.3.x, 24.1.x

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-43403

CVE-2022-43401

Sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime can allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection

Description

These vulnerabilities are specific to execution within Jenkins. In Release, the Groovy sandbox restricts class access on top of the sandbox provided by the Java Security Manager. Any implicit casts that could access restricted files or data are rejected by the Java Security Manager.

Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release.

Affected Versions
23.1.x, 23.3.x, 24.1.x

Reference

https://nvd.nist.gov/vuln/detail/CVE-2022-43401

CVE-2022-1471

Unsafe deserialization vulnerability in Snake YAML

Description
In Snake YAML versions prior to 2.0, a vulnerability exists when untrusted YAML content is deserialized. Applications calling the Snake YAML load method can be susceptible to this vulnerability due to the constructor not restricting types that can be deserialized.

Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release. The Denali release will include the 2.0 version of the Snake YAML library, including the fix for this vulnerability.

Affected Versions
23.1.x

Reference
https://nvd.nist.gov/vuln/detail/CVE-2022-1471

CVE-2020-2279

Sandbox bypass vulnerability in Jenkins Script Security Plugin allows attackers with permission to define sandboxed scripts to provide crafted return values or script binding content that can result in arbitrary code execution on the Jenkins controller JVM

Description

This vulnerability is specific to execution within Jenkins. In Release, the Groovy sandbox restricts class access on top of the sandbox provided by the Java Security Manager. No arbitrary return values or script binding content are evaluated outside the script execution sandbox.

Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release.

Affected Versions
23.1.x, 23.3.x, 24.1.x

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-2279

CVE-2020-2110

Sandbox protection in Jenkins Script Security Plugin could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations

Description

This vulnerability is specific to execution within Jenkins. In Release, the Groovy sandbox restricts class access in addition to the sandbox provided by the Java Security Manager. The embedded Groovy runtime does not allow the execution of @Grab or other annotations which could make use of outside AST transformations.

Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release.

Affected Versions
23.1.x, 23.3.x, 24.1.x

Reference

https://nvd.nist.gov/vuln/detail/CVE-2020-2110

CVE-2016-1000027

Potential remote code execution with Java deserialization of untrusted data

Description
Spring framework contains a potential vulnerability when an endpoint is exposed that supports an HTTP invoker service endpoint that performs Java deserialized on untrusted data.

Impact On Release
The Release code base has been reviewed to verify that Release is not affected by this vulnerability.

Affected Versions
23.3.x, 23.1.x

Reference
https://nvd.nist.gov/vuln/detail/cve-2016-1000027

CVE-2023-2976

Potential vulnerability with files created in a temporary directory

Description

In Google Guava library versions up to 32.0.0, there is a vulnerability in the FileBackedOutputStream method that can expose data created in a temporary directory on Unix systems.

Impact On Release

The Release code base has been reviewed to verify that Release is not utilizing this method in the Guava library and is not affected by this vulnerability.

Affected Versions
23.1.x

Reference

https://nvd.nist.gov/vuln/detail/cve-2023-2976

 

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.