#VU71499 Permissions, Privileges, and Access Controls in Script Security


Published: 2023-01-25

Vulnerability identifier: #VU71499

Vulnerability risk: Medium

CVSSv3.1: 7.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-24422

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Script Security
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to a sandbox bypass issue. A remote user can bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Script Security: 1228.vd93135a_2fb_25

External links
http://jenkins.io/security/advisory/2023-01-24/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM Automation Decision Services
Multiple vulnerabilities in IBM Cloud Pak for Business Automation
OpenShift Developer Tools and Services for OCP 4.12 update for Jenkins and Jenkins-2-plugins
OpenShift Developer Tools and Services for OCP 4.14 update for jenkins and jenkins-2-plugins
OpenShift Developer Tools and Services for OCP 4.13 update for jenkins and jenkins-2-plugins
OpenShift Developer Tools and Services for OCP 4.11 update for jenkins and jenkins-2-plugins
Red Hat Product OCP Tools 4.11 update for Openshift Jenkins
Red Hat Product OCP Tools 4.12 update for Openshift Jenkins
OpenShift Developer Tools and Services for OCP 4.13 update for jenkins and jenkins-2-plugins
OpenShift Developer Tools and Services for OCP 4.12 update for jenkins and jenkins-2-plugins