CVE-2023-24422
Aliases:GHSA-76qj-9gwh-pvv3
Advisory lineage Upstream: 0 Downstream: 13
Modified
Published: 24 Jan 2023, 00:00
Last modified:02 Apr 2025, 14:30
Vulnerability Summary
Overall Risk (default)
medium
35/100 CVSS Score
8.8 HIGH
v3.1 (cve.org)
EPSS Score
0.04% LOW
0% probability +0.01%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
24 Jan 2023, 00:00
Published
Vulnerability first disclosed
02 Apr 2025, 14:30
Last Modified
Vulnerability information updated
Description
A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
CVSS Metrics
- v3.1•HIGH•Score: 8.8CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Trends
Current EPSS score: 0.04%• Percentile: 12%
Techniques & Countermeasures
- CWE-78•Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Affected Systems
- jenkins project•jenkins script security plugin
≥ unspecified, ≤ 1228.vd93135a_2fb_25
- jenkins•script_security
< 1229.v4880b_b_e905a_6
- org.jenkins-ci.plugins•script-security
< 1229.v4880b