CVE-2020-2135 - Vulnerability Details - OpenCVE

Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00183.

Key SSVC decision points have not yet been added.

Vendors	Products
Jenkins	Script Security
Redhat	Openshift

Configuration 1 [-]

cpe:2.3:a:jenkins:script_security:*:*:*:*:*:jenkins:*:*

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Platform 3.11
jenkins-2-plugins-0:3.11.1591354111-1.el7	cpe:/a:redhat:openshift:3.11::el7	RHSA-2020:2478	2020-06-17T00:00:00Z
Red Hat OpenShift Container Platform 4.3
jenkins-2-plugins-0:4.3.1597915133-1.el7	cpe:/a:redhat:openshift:4.3::el7	RHSA-2020:3616	2020-09-09T00:00:00Z
Red Hat OpenShift Container Platform 4.4
jenkins-2-plugins-0:4.4.1592817009-1.el7	cpe:/a:redhat:openshift:4.4::el7	RHSA-2020:2737	2020-06-29T00:00:00Z

No data.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2020/03/09/1
https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1754
https://nvd.nist.gov/vuln/detail/CVE-2020-2135
https://www.cve.org/CVERecord?id=CVE-2020-2135

History

No history.

MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2020-03-09T15:00:56

Updated: 2024-08-04T07:01:41.104Z

Reserved: 2019-12-05T00:00:00

Link: CVE-2020-2135

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-03-09T16:15:12.703

Modified: 2024-11-21T05:24:45.250

Link: CVE-2020-2135

Redhat

Severity : Important

Publid Date: 2020-03-09T00:00:00Z

Links: CVE-2020-2135 - Bugzilla

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "Jenkins Script Security Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "1.70", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T16:05:35.460Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1754"}, {"name": "[oss-security] 20200309 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2020-2135", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Script Security Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "1.70"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-693: Protection Mechanism Failure"}]}]}, "references": {"reference_data": [{"name": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1754", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1754"}, {"name": "[oss-security] 20200309 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T07:01:41.104Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1754"}, {"name": "[oss-security] 20200309 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2020-2135", "datePublished": "2020-03-09T15:00:56", "dateReserved": "2019-12-05T00:00:00", "dateUpdated": "2024-08-04T07:01:41.104Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:script_security:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "0C9D2B3A-06D9-4568-AA6F-B750B0208FF7", "versionEndIncluding": "1.70", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that implement GroovyInterceptable."}, {"lang": "es", "value": "La protecci\u00f3n de Sandbox en Jenkins Script Security Plugin versiones 1.70 y anteriores, podr\u00eda ser omitida mediante llamadas de m\u00e9todo dise\u00f1adas sobre objetos que implementan GroovyInterceptable."}], "id": "CVE-2020-2135", "lastModified": "2024-11-21T05:24:45.250", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-03-09T16:15:12.703", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1754"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2020/03/09/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1754"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}