CVE-2024-34145
sandbox bypass vulnerability in script-security (Maven)
What is CVE-2024-34145 About?
This vulnerability is a sandbox bypass in the Jenkins Script Security Plugin, allowing low-privileged users to execute arbitrary code. Exploiting this can lead to full compromise of the Jenkins controller JVM, and exploitation relies on crafting specific script constructs.
Affected Software
Technical Details
The Jenkins Script Security Plugin's sandbox feature is designed to safely execute user-defined scripts. This vulnerability, however, allows two distinct methods to bypass these protections: 1) Crafted constructor bodies that invoke other constructors can be used to construct any subclassable type via implicit casts. 2) Sandbox-defined Groovy classes that shadow specific non-sandbox-defined classes can also be used to construct any subclassable type. Both attack vectors enable an attacker with script execution permissions to escape the sandbox and execute arbitrary code directly within the Jenkins controller JVM, circumventing the intended security model.
What is the Impact of CVE-2024-34145?
Successful exploitation may allow attackers to execute arbitrary code in the context of the Jenkins controller JVM, leading to complete compromise of the Jenkins instance, data theft, or further network penetration.
What is the Exploitability of CVE-2024-34145?
Exploitation of this vulnerability requires an attacker to have permission to define and run sandboxed scripts, such as Pipelines. This typically means having 'Item/Configure' or similar permissions within Jenkins. The exploitation is complex, requiring the crafting of specific Groovy code to bypass the sandbox mechanisms. It is a remote exploitation scenario as the attacker interacts with the Jenkins web interface. There are no known special conditions beyond the need for script execution privileges. The lack of a known exploit currently suggests a higher barrier to entry for attackers, but the potential for arbitrary code execution makes it a high-risk vulnerability once an exploit is developed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-34145?
Available Upgrade Options
- org.jenkins-ci.plugins:script-security
- <1336.vf33a → Upgrade to 1336.vf33a
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://www.openwall.com/lists/oss-security/2024/05/02/3
- http://www.openwall.com/lists/oss-security/2024/05/02/3
- https://osv.dev/vulnerability/GHSA-2g4q-9vm9-9fw4
- https://nvd.nist.gov/vuln/detail/CVE-2024-34145
- https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
- https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
What are Similar Vulnerabilities to CVE-2024-34145?
Similar Vulnerabilities: CVE-2023-24422 , CVE-2022-29780 , CVE-2021-21674 , CVE-2020-2221 , CVE-2019-1003000
