CVE-2023-24422
Sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code
Description
This vulnerability is specific to execution within Jenkins. In Release, the Groovy sandbox restricts class access on top of the sandbox provided by the Java Security Manager. Any implicit casts inside map constructors that could access restricted files or data are rejected by the Java Security Manager.
Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release.
Affected Versions
23.1.x, 23.3.x, 24.1.x
Reference
https://nvd.nist.gov/vuln/detail/CVE-2023-24422
CVE-2022-46337
LDAP injection vulnerability in Apache Derby's authenticator
Description
Apache Derby versions up to 10.16.1.1 are vulnerable to an LDAP injection attack if Derby is configured to use LDAP for user authentication. An attacker can exploit this vulnerability by crafting a specially crafted username to bypass LDAP authentication checks.
Impact On Release
This vulnerability does not affect Release unless you use a Derby database to authenticate users against an LDAP directory service within your organization. Derby is included with Release as an embedded default database, but it should only be used for demonstration or testing purposes.
Derby is not recommended for production use. Refer to supported-databases to view the list of supported databases.
Affected Versions
24.1.x, 23.3.x, 23.1.x
Reference
https://nvd.nist.gov/vuln/detail/CVE-2022-46337
CVE-2022-45379
Jenkins Script Security Plugin stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks
Description
This vulnerability is specific to execution within Jenkins. In Release, the Groovy sandbox restricts class access on top of the sandbox provided by the Java Security Manager. The whole-script approvals feature is not present in the version of the security sandbox employed by Release.
Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release.
Affected Versions
23.1.x, 23.3.x, 24.1.x
Reference
https://nvd.nist.gov/vuln/detail/CVE-2022-45379
CVE-2022-43404
Sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection
Description
This vulnerability is specific to execution within Jenkins. In Release, the Groovy sandbox restricts class access on top of the sandbox provided by the Java Security Manager. Subclassing classes using generated synthetic constructors is not possible due to the already restricted class access.
Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release.
Affected Versions
23.1.x, 23.3.x, 24.1.x
Reference
https://nvd.nist.gov/vuln/detail/CVE-2022-43404
CVE-2022-43403
Sandbox bypass vulnerability involving casting an array-like value to an array type can allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection
Description
These vulnerabilities are specific to execution within Jenkins. In Release, the Groovy sandbox restricts class access on top of the sandbox provided by the Java Security Manager. Any implicit casts that could access restricted files or data are rejected by the Java Security Manager.
Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release.
Affected Versions
23.1.x, 23.3.x, 24.1.x
Reference
https://nvd.nist.gov/vuln/detail/CVE-2022-43403
CVE-2022-43401
Sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime can allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection
Description
These vulnerabilities are specific to execution within Jenkins. In Release, the Groovy sandbox restricts class access on top of the sandbox provided by the Java Security Manager. Any implicit casts that could access restricted files or data are rejected by the Java Security Manager.
Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release.
Affected Versions
23.1.x, 23.3.x, 24.1.x
Reference
https://nvd.nist.gov/vuln/detail/CVE-2022-43401
CVE-2022-1471
Unsafe deserialization vulnerability in Snake YAML
Description
In Snake YAML versions prior to 2.0, a vulnerability exists when untrusted YAML content is deserialized. Applications calling the Snake YAML load method can be susceptible to this vulnerability due to the constructor not restricting types that can be deserialized.
Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release. The Denali release will include the 2.0 version of the Snake YAML library, including the fix for this vulnerability.
Affected Versions
23.1.x
Reference
https://nvd.nist.gov/vuln/detail/CVE-2022-1471
CVE-2020-2279
Sandbox bypass vulnerability in Jenkins Script Security Plugin allows attackers with permission to define sandboxed scripts to provide crafted return values or script binding content that can result in arbitrary code execution on the Jenkins controller JVM
Description
This vulnerability is specific to execution within Jenkins. In Release, the Groovy sandbox restricts class access on top of the sandbox provided by the Java Security Manager. No arbitrary return values or script binding content are evaluated outside the script execution sandbox.
Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release.
Affected Versions
23.1.x, 23.3.x, 24.1.x
Reference
https://nvd.nist.gov/vuln/detail/CVE-2020-2279
CVE-2020-2110
Sandbox protection in Jenkins Script Security Plugin could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations
Description
This vulnerability is specific to execution within Jenkins. In Release, the Groovy sandbox restricts class access in addition to the sandbox provided by the Java Security Manager. The embedded Groovy runtime does not allow the execution of @Grab or other annotations which could make use of outside AST transformations.
Impact On Release
The Release code base has been reviewed to verify that this vulnerability does not affect Release.
Affected Versions
23.1.x, 23.3.x, 24.1.x
Reference
https://nvd.nist.gov/vuln/detail/CVE-2020-2110
CVE-2016-1000027
Potential remote code execution with Java deserialization of untrusted data
Description
Spring framework contains a potential vulnerability when an endpoint is exposed that supports an HTTP invoker service endpoint that performs Java deserialized on untrusted data.
Impact On Release
The Release code base has been reviewed to verify that Release is not affected by this vulnerability.
Affected Versions
23.3.x, 23.1.x
Reference
https://nvd.nist.gov/vuln/detail/cve-2016-1000027
CVE-2023-2976
Potential vulnerability with files created in a temporary directory
Description
In Google Guava library versions up to 32.0.0, there is a vulnerability in the FileBackedOutputStream method that can expose data created in a temporary directory on Unix systems.
Impact On Release
The Release code base has been reviewed to verify that Release is not utilizing this method in the Guava library and is not affected by this vulnerability.
Affected Versions
23.1.x
Reference
https://nvd.nist.gov/vuln/detail/cve-2023-2976
Comments
Please sign in to leave a comment.