CVE-2024-34144

high-risk

Published 2024-05-02

A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Do I need to act?

50.1% chance of exploitation in next 30 days

EPSS score — higher than 50% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.8/10 Critical

NETWORK / LOW complexity

Affected Products (1)

Script Security

Affected Vendors

Jenkins

References (4)

Mailing List http://www.openwall.com/lists/oss-security/2024/05/02/3

Vendor Advisory https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341

Mailing List http://www.openwall.com/lists/oss-security/2024/05/02/3

Vendor Advisory https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341

/ 100

high-risk

Severity 32/34 · Critical

Exploitability 18/34 · Moderate

Exposure 5/34 · Minimal