VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-qnbx-c635-hqer

Essentials
Severities (29)
References (14)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-qnbx-c635-hqer
Aliases	CVE-2024-34144 GHSA-v63g-v339-2673
Summary	Jenkins Script Security Plugin has sandbox bypass vulnerability involving crafted constructor bodies Jenkins Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed. Multiple sandbox bypass vulnerabilities exist in Script Security Plugin 1335.vf07d9ce377a_e and earlier: - Crafted constructor bodies that invoke other constructors can be used to construct any subclassable type via implicit casts. - Sandbox-defined Groovy classes that shadow specific non-sandbox-defined classes can be used to construct any subclassable type. These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. - These issues are caused by an incomplete fix of [SECURITY-2824](https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)). Script Security Plugin 1336.vf33a_a_9863911 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox: - Calls to to other constructors using this are now intercepted by the sandbox. - Classes in packages that can be shadowed by Groovy-defined classes are no longer ignored by the sandbox when intercepting super constructor calls.
Status	Published
Exploitability	0.5
Weighted Severity	8.8
Risk	4.4
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-693	Protection Mechanism Failure
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	8.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34144.json
epss	0.50053	https://api.first.org/data/v1/epss?cve=CVE-2024-34144
epss	0.50053	https://api.first.org/data/v1/epss?cve=CVE-2024-34144
epss	0.50053	https://api.first.org/data/v1/epss?cve=CVE-2024-34144
epss	0.50053	https://api.first.org/data/v1/epss?cve=CVE-2024-34144
epss	0.50053	https://api.first.org/data/v1/epss?cve=CVE-2024-34144
epss	0.50053	https://api.first.org/data/v1/epss?cve=CVE-2024-34144
epss	0.50053	https://api.first.org/data/v1/epss?cve=CVE-2024-34144
epss	0.50053	https://api.first.org/data/v1/epss?cve=CVE-2024-34144
epss	0.50053	https://api.first.org/data/v1/epss?cve=CVE-2024-34144
epss	0.50053	https://api.first.org/data/v1/epss?cve=CVE-2024-34144
epss	0.50053	https://api.first.org/data/v1/epss?cve=CVE-2024-34144
epss	0.50053	https://api.first.org/data/v1/epss?cve=CVE-2024-34144
epss	0.50053	https://api.first.org/data/v1/epss?cve=CVE-2024-34144
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-v63g-v339-2673
cvssv3.1	8.8	https://github.com/jenkinsci/script-security-plugin
generic_textual	HIGH	https://github.com/jenkinsci/script-security-plugin
cvssv3.1	8.8	https://github.com/jenkinsci/script-security-plugin/releases/tag/1336.vf33a_a_9863911
generic_textual	HIGH	https://github.com/jenkinsci/script-security-plugin/releases/tag/1336.vf33a_a_9863911
cvssv3.1	8.8	https://nvd.nist.gov/vuln/detail/CVE-2024-34144
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2024-34144
cvssv3.1	8.8	https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
cvssv3.1	9.8	https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
generic_textual	HIGH	https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
ssvc	Track	https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
cvssv3.1	8.8	http://www.openwall.com/lists/oss-security/2024/05/02/3
cvssv3.1	9.8	http://www.openwall.com/lists/oss-security/2024/05/02/3
generic_textual	HIGH	http://www.openwall.com/lists/oss-security/2024/05/02/3
ssvc	Track	http://www.openwall.com/lists/oss-security/2024/05/02/3

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34144.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-34144
		https://github.com/jenkinsci/script-security-plugin
		https://github.com/jenkinsci/script-security-plugin/releases/tag/1336.vf33a_a_9863911
		https://nvd.nist.gov/vuln/detail/CVE-2024-34144
		https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
		http://www.openwall.com/lists/oss-security/2024/05/02/3
2278820		https://bugzilla.redhat.com/show_bug.cgi?id=2278820
GHSA-v63g-v339-2673		https://github.com/advisories/GHSA-v63g-v339-2673
RHSA-2024:3634		https://access.redhat.com/errata/RHSA-2024:3634
RHSA-2024:3635		https://access.redhat.com/errata/RHSA-2024:3635
RHSA-2024:3636		https://access.redhat.com/errata/RHSA-2024:3636
RHSA-2024:4597		https://access.redhat.com/errata/RHSA-2024:4597
RHSA-2024:8886		https://access.redhat.com/errata/RHSA-2024:8886

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34144.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/jenkinsci/script-security-plugin

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/jenkinsci/script-security-plugin/releases/tag/1336.vf33a_a_9863911

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2024-34144

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-02T15:28:35Z/ Found at https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2024/05/02/3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2024/05/02/3

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-02T15:28:35Z/ Found at http://www.openwall.com/lists/oss-security/2024/05/02/3

Exploit Prediction Scoring System (EPSS)

Percentile	0.97806
EPSS Score	0.50053
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:51:49.779808+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-v63g-v339-2673/GHSA-v63g-v339-2673.json	38.0.0