#VU25280 Permissions, Privileges, and Access Controls in Script Security - CVE-2020-2110
Published: February 13, 2020
Vulnerability identifier: #VU25280
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2020-2110
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Script Security
Script Security
Software vendor:
Jenkins
Jenkins
Description
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to the sandbox protection in the affected plugin can be circumvented during the script compilation phase by applying AST transforming annotations such as "@Grab" to imports or by using them inside of other annotations. A remote user with Overall/Read permission can bypass sandbox protection and execute arbitrary code in the context of the Jenkins master JVM.
Remediation
Install updates from vendor's website.