search

snowdensb / job-dsl-plugin

A Groovy DSL for Jenkins Jobs - Sweeeeet!
Apache License 2.0
0 stars 0 forks source link

script-security-1.54.jar: 18 vulnerabilities (highest severity is: 9.9) #240

Open mend-for-github-com[bot] opened 7 months ago

mend-for-github-com[bot] commented 7 months ago
Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (script-security version) Remediation Possible** Reachability
CVE-2020-2279 Critical 9.9 script-security-1.54.jar Direct org.jenkins-ci.plugins:script-security:1.75
CVE-2019-10431 Critical 9.9 script-security-1.54.jar Direct 1.65
CVE-2019-1003040 Critical 9.8 script-security-1.54.jar Direct 1.56
CVE-2024-34145 High 8.8 script-security-1.54.jar Direct org.jenkins-ci.plugins:script-security:1336.vf33a_a_9863911
CVE-2024-34144 High 8.8 script-security-1.54.jar Direct org.jenkins-ci.plugins:script-security:1336.vf33a_a_9863911
CVE-2023-24422 High 8.8 script-security-1.54.jar Direct org.jenkins-ci.plugins:script-security:1229.v4880b_b_e905a_6
CVE-2020-2135 High 8.8 script-security-1.54.jar Direct org.jenkins-ci.plugins:script-security:1.71
CVE-2020-2134 High 8.8 script-security-1.54.jar Direct org.jenkins-ci.plugins:script-security:1.71
CVE-2020-2110 High 8.8 script-security-1.54.jar Direct 1.70
CVE-2019-16538 High 8.8 script-security-1.54.jar Direct org.jenkins-ci.plugins:script-security:1.68
CVE-2022-45379 High 7.5 script-security-1.54.jar Direct N/A
CVE-2020-2190 Medium 5.4 script-security-1.54.jar Direct org.jenkins-ci.plugins:script-security:1.73
CVE-2024-52549 Medium 4.3 script-security-1.54.jar Direct io.jenkins.plugins:script-security:1368.vb_b_402e3547e7
CVE-2022-30946 Medium 4.3 script-security-1.54.jar Direct org.jenkins-ci.plugins:script-security:1172.v35f6a_0b_8207e
CVE-2019-10400 Medium 4.2 script-security-1.54.jar Direct 1.63
CVE-2019-10399 Medium 4.2 script-security-1.54.jar Direct 1.63
CVE-2019-10394 Medium 4.2 script-security-1.54.jar Direct 1.63
CVE-2019-10393 Medium 4.2 script-security-1.54.jar Direct 1.63

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-2279 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to define sandboxed scripts to provide crafted return values or script binding content that can result in arbitrary code execution on the Jenkins controller JVM.

Publish Date: 2020-09-23

URL: CVE-2020-2279

### CVSS 3 Score Details (9.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2020-09-23/#SECURITY-2020

Release Date: 2020-09-23

Fix Resolution: org.jenkins-ci.plugins:script-security:1.75

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-10431 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts.

Publish Date: 2019-10-01

URL: CVE-2019-10431

### CVSS 3 Score Details (9.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://jenkins.io/security/advisory/2019-10-01/

Release Date: 2019-10-01

Fix Resolution: 1.65

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-1003040 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.

Publish Date: 2019-03-28

URL: CVE-2019-1003040

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003040

Release Date: 2019-03-28

Fix Resolution: 1.56

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-34145 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A sandbox bypass vulnerability involving sandbox-defined classes that shadow specific non-sandbox-defined classes in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Publish Date: 2024-05-02

URL: CVE-2024-34145

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-34145

Release Date: 2024-05-02

Fix Resolution: org.jenkins-ci.plugins:script-security:1336.vf33a_a_9863911

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-34144 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Publish Date: 2024-05-02

URL: CVE-2024-34144

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-34144

Release Date: 2024-05-02

Fix Resolution: org.jenkins-ci.plugins:script-security:1336.vf33a_a_9863911

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2023-24422 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Publish Date: 2023-01-24

URL: CVE-2023-24422

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016

Release Date: 2023-01-24

Fix Resolution: org.jenkins-ci.plugins:script-security:1229.v4880b_b_e905a_6

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-2135 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable.

Publish Date: 2020-03-09

URL: CVE-2020-2135

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2135

Release Date: 2020-03-09

Fix Resolution: org.jenkins-ci.plugins:script-security:1.71

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-2134 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and crafted constructor bodies.

Publish Date: 2020-03-09

URL: CVE-2020-2134

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2134

Release Date: 2020-03-09

Fix Resolution: org.jenkins-ci.plugins:script-security:1.71

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2020-2110 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying AST transforming annotations to imports or by using them inside of other annotations.

Publish Date: 2020-02-12

URL: CVE-2020-2110

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://jenkins.io/security/advisory/2020-02-12

Release Date: 2020-02-12

Fix Resolution: 1.70

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-16538 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts.

Publish Date: 2019-11-21

URL: CVE-2019-16538

### CVSS 3 Score Details (8.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2019-11-21

Fix Resolution: org.jenkins-ci.plugins:script-security:1.68

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-45379 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.

Publish Date: 2022-11-15

URL: CVE-2022-45379

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2020-2190 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script Approval page, resulting in a stored cross-site scripting vulnerability.

Publish Date: 2020-06-03

URL: CVE-2020-2190

### CVSS 3 Score Details (5.4)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-2190

Release Date: 2020-06-03

Fix Resolution: org.jenkins-ci.plugins:script-security:1.73

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2024-52549 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files on the controller file system.

Publish Date: 2024-11-13

URL: CVE-2024-52549

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3447

Release Date: 2024-11-13

Fix Resolution: io.jenkins.plugins:script-security:1368.vb_b_402e3547e7

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2022-30946 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to have Jenkins send an HTTP request to an attacker-specified webserver.

Publish Date: 2022-05-17

URL: CVE-2022-30946

### CVSS 3 Score Details (4.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2116

Release Date: 2022-05-17

Fix Resolution: org.jenkins-ci.plugins:script-security:1172.v35f6a_0b_8207e

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-10400 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of subexpressions in increment and decrement expressions not involving actual assignment allowed attackers to execute arbitrary code in sandboxed scripts.

Publish Date: 2019-09-12

URL: CVE-2019-10400

### CVSS 3 Score Details (4.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10400

Release Date: 2019-09-12

Fix Resolution: 1.63

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-10399 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions in increment and decrement expressions allowed attackers to execute arbitrary code in sandboxed scripts.

Publish Date: 2019-09-12

URL: CVE-2019-10399

### CVSS 3 Score Details (4.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10399

Release Date: 2019-09-12

Fix Resolution: 1.63

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-10394 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions on the left-hand side of assignment expressions allowed attackers to execute arbitrary code in sandboxed scripts.

Publish Date: 2019-09-12

URL: CVE-2019-10394

### CVSS 3 Score Details (4.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10394

Release Date: 2019-09-12

Fix Resolution: 1.63

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.
CVE-2019-10393 ### Vulnerable Library - script-security-1.54.jar

Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Library home page: https://wiki.jenkins.io/display/JENKINS/Script+Security+Plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /caches/modules-2/files-2.1/org.jenkins-ci.plugins/script-security/1.54/f3a86e493aadee03660779add827d0f6384d0120/script-security-1.54.jar

Dependency Hierarchy: - :x: **script-security-1.54.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in method call expressions allowed attackers to execute arbitrary code in sandboxed scripts.

Publish Date: 2019-09-12

URL: CVE-2019-10393

### CVSS 3 Score Details (4.2)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10393

Release Date: 2019-09-12

Fix Resolution: 1.63

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.