Impact
The Jenkins Script Security Plugin fails to intercept implicit type casts applied to elements of typed for‑each loops in sandboxed Groovy scripts. An attacker who can supply such scripts is able to invoke arbitrary constructors, effectively bypassing the sandbox and executing unrestricted code inside the Jenkins environment, thereby compromising confidentiality, integrity and availability. The weakness corresponds to CWE‑1287.
Affected Systems
Vulnerable installations are those running Jenkins Script Security Plugin version 1402.v94c9ce464861 or earlier. All sites that have not upgraded this plugin are potentially exposed.
Risk and Exploitability
An attacker who can deliver Groovy scripts to the Jenkins server can exercise this flaw to achieve arbitrary code execution. The CVSS score of 8.8 indicates high severity, but the EPSS score of < 1% shows a low exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Attack feasibility requires only the ability to submit scripts, which many Jenkins configurations allow to authorized users, making the risk significant for environments with open script execution rights.
OpenCVE Enrichment