Main Vulnerability Database Vulnerabilities #VU89154

Security features bypass in Script Security - CVE-2024-34145

Published: May 6, 2024

Vulnerability identifier: #VU89154

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-34145

CWE-ID: CWE-254

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Script Security

Software vendor:
Jenkins

Description

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to the sandbox bypass issue involving sandbox-defined classes that shadow specific non-sandbox-defined classes. A remote user can define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code on the system.

Remediation

Install updates from vendor's website.

External links

https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
http://www.openwall.com/lists/oss-security/2024/05/02/3

Security features bypass in Script Security - CVE-2024-34145

Description

Remediation

External links

Please verify you're human