github - ghsa-qvmf-36h5-3f5v

ghsa-qvmf-36h5-3f5v

Vulnerability from github

Published

2022-05-24 17:08

Modified

2022-06-24 00:59

Severity

8.8 (High) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

Improper Input Validation in Jenkins Script Security Plugin

Details

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 1.69"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:script-security"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.70"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2110"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-24T00:59:37Z",
    "nvd_published_at": "2020-02-12T15:15:00Z",
    "severity": "HIGH"
  },
  "details": "Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.",
  "id": "GHSA-qvmf-36h5-3f5v",
  "modified": "2022-06-24T00:59:37Z",
  "published": "2022-05-24T17:08:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2110"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/script-security-plugin/commit/1a09bdcf789b87c4e158aacebd40937c64398de3"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1713"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper Input Validation in Jenkins Script Security Plugin"
}

cve-2020-2110

Vulnerability from cvelistv5

Published

2020-02-12 14:35

Modified

2024-08-04 07:01

Severity

Summary

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

References

URL	Tags
https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1713	x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2020/02/12/3	mailing-list, x_refsource_MLIST

Impacted products

Vendor	Product
Jenkins project	Jenkins Script Security Plugin

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T07:01:39.727Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1713"
          },
          {
            "name": "[oss-security] 20200212 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Script Security Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "1.69",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T16:05:06.077Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1713"
        },
        {
          "name": "[oss-security] 20200212 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2020-2110",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Script Security Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "1.69"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-265"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1713",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1713"
            },
            {
              "name": "[oss-security] 20200212 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2020-2110",
    "datePublished": "2020-02-12T14:35:40",
    "dateReserved": "2019-12-05T00:00:00",
    "dateUpdated": "2024-08-04T07:01:39.727Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.