Description
Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Jenkins Pipeline Groovy Plugin does not restrict the Java types that can be instantiated through the Pipeline Snippet Generator, which allows an attacker to create objects of classes related to job or system configuration instead of normal Pipeline steps. This weakness can enable an attacker to modify job definitions or alter system settings, potentially leading to unauthorized configuration changes or arbitrary code execution if malicious classes are instantiated. The flaw represents a CWE‑470 type of vulnerability involving insecure type instantiation.

Affected Systems

Jenkins Pipeline Groovy Plugin versions 4331.v9d06ed4658ff and earlier are affected. Users should check the installed plugin version and plan an upgrade to a later release that limits the classes that can be created through the Snippet Generator.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. The attack route involves interacting with the Pipeline Snippet Generator, which typically requires user authentication and appropriate permissions within Jenkins; hence it is inferred that an authenticated user with at least view or build rights could exploit the flaw, but the description does not explicitly confirm this. The lack of type restrictions provides a defined path for configuration tampering or possible code execution, though such outcomes are not explicitly stated in the advisory and are noted as a likely consequence.

Generated by OpenCVE AI on June 24, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins Pipeline Groovy Plugin to a version newer than 4331.v9d06ed4658ff.
  • Restrict access to the Pipeline Snippet Generator by configuring role‑based permissions so that only administrators or trusted users can activate it.
  • Monitor Jenkins job and system configuration files and logs for unexpected changes and review them regularly for signs of tampering.

Generated by OpenCVE AI on June 24, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Unrestricted Type Instantiation via Jenkins Pipeline Groovy Plugin Snippet Generator

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-470
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline Snippet Generator, allowing attackers to instantiate types related to job or system configuration other than Pipeline steps.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T13:59:13.717Z

Reserved: 2026-06-24T08:41:44.357Z

Link: CVE-2026-57284

cve-icon Vulnrichment

Updated: 2026-06-24T13:55:10.683Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:30:06Z

Weaknesses
  • CWE-470

    Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')