CVE-2023-24422 in Script Security Plugin
Summary
by MITRE • 01/26/2023
A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 07/03/2025
This vulnerability exists within the Jenkins Script Security Plugin where map constructors fail to properly validate input parameters, creating a sandbox bypass opportunity. The flaw allows authenticated attackers with permissions to execute sandboxed scripts to circumvent security restrictions and gain arbitrary code execution capabilities within the Jenkins controller's java virtual machine context. The vulnerability specifically impacts versions 1228.vd93135a_2fb_25 and earlier, making it critical for organizations running these outdated plugin versions.
The technical implementation involves the improper handling of map constructor arguments within the sandboxed execution environment. When attackers provide malicious input to map constructors, the validation mechanisms fail to properly sanitize or restrict the parameters, allowing the execution of unauthorized code patterns that would normally be blocked by the sandbox. This represents a direct violation of the principle of least privilege and sandbox isolation that the Script Security Plugin is designed to enforce. The vulnerability falls under CWE-787: Out-of-bounds Write and CWE-94: Improper Control of Generation of Code, as it allows for arbitrary code execution through controlled input manipulation.
Operationally, this vulnerability poses significant risk to Jenkins environments as it enables attackers with relatively low privileges to escalate their access and potentially compromise the entire Jenkins infrastructure. The attack requires only permissions to define and execute sandboxed scripts, which many organizations grant to developers or CI/CD pipeline operators. Once exploited, the attacker can execute arbitrary commands on the Jenkins controller, potentially leading to data exfiltration, system compromise, or further lateral movement within the network. The impact extends beyond immediate code execution as it undermines the fundamental security model of the Jenkins platform.
Organizations should immediately upgrade to Jenkins Script Security Plugin version 1229.v10245181712d or later to remediate this vulnerability. The patch addresses the map constructor validation by implementing proper input sanitization and parameter checking mechanisms. Additional mitigations include restricting permissions for script execution, implementing network segmentation, and monitoring for suspicious script execution patterns. Security teams should also conduct comprehensive audits of Jenkins configurations to ensure no unauthorized script execution capabilities remain. This vulnerability aligns with ATT&CK technique T1059.001: Command and Scripting Interpreter and T1078.004: Valid Accounts, as it leverages legitimate script execution permissions to bypass security controls.