github - ghsa-62pm-mgrh-7p69

ghsa-62pm-mgrh-7p69

Vulnerability from github

Published

2022-05-24 17:01

Modified

2022-06-27 21:10

Severity

8.8 (High) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Incorrect Authorization in Jenkins Script Security Plugin

Details

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.67"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:script-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.68"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-16538"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-863"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-27T21:10:52Z",
    "nvd_published_at": "2019-11-21T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts.",
  "id": "GHSA-62pm-mgrh-7p69",
  "modified": "2022-06-27T21:10:52Z",
  "published": "2022-05-24T17:01:40Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16538"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/script-security-plugin/commit/0e7da14171ed1d03ff72f6910392e630b40a8590"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1658"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/11/21/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Incorrect Authorization in Jenkins Script Security Plugin"
}

cve-2019-16538

Vulnerability from cvelistv5

Published

2019-11-21 14:11

Modified

2024-08-05 01:17

Severity

Summary

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts.

References

URL	Tags
https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1658	x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2019/11/21/1	mailing-list, x_refsource_MLIST

Impacted products

Vendor	Product
Jenkins project	Jenkins Script Security Plugin

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:17:40.259Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1658"
          },
          {
            "name": "[oss-security] 20191121 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/11/21/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Script Security Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "status": "affected",
              "version": "1.67 and earlier"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T16:50:24.932Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1658"
        },
        {
          "name": "[oss-security] 20191121 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/11/21/1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2019-16538",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Script Security Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "1.67 and earlier"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-265"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1658",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1658"
            },
            {
              "name": "[oss-security] 20191121 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/11/21/1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2019-16538",
    "datePublished": "2019-11-21T14:11:20",
    "dateReserved": "2019-09-20T00:00:00",
    "dateUpdated": "2024-08-05T01:17:40.259Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.