VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-yn97-nd7r-b7hj

Essentials
Severities (28)
References (12)
Severity details (12)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-yn97-nd7r-b7hj
Aliases	CVE-2020-2135 GHSA-qvhf-3567-pc4v
Summary	Sandbox bypass vulnerability in Script Security Plugin Sandbox protection in Script Security Plugin 1.70 and earlier can be circumvented through: - Crafted constructor calls and bodies (due to an incomplete fix of [SECURITY-582](https://www.jenkins.io/security/advisory/2017-08-07/#super-constructor-calls)) - Crafted method calls on objects that implement `GroovyInterceptable` This allows attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM. Script Security Plugin 1.71 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox. In addition, it also intercepts method calls on objects that implement `GroovyInterceptable` as calls to `GroovyObject#invokeMethod(String, Object)`, which is on the list of dangerous signatures and should not be approved for use in the sandbox.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (5)

CWE-693	Protection Mechanism Failure
CWE-863	Incorrect Authorization
CWE-94	Improper Control of Generation of Code ('Code Injection')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	8.8	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2135.json
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
epss	0.00183	https://api.first.org/data/v1/epss?cve=CVE-2020-2135
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-qvhf-3567-pc4v
cvssv3.1	8.8	https://github.com/jenkinsci/script-security-plugin
generic_textual	HIGH	https://github.com/jenkinsci/script-security-plugin
cvssv3.1	8.8	https://github.com/jenkinsci/script-security-plugin/commit/5b1969e0bdf5cde04a165b847144756b28495788
generic_textual	HIGH	https://github.com/jenkinsci/script-security-plugin/commit/5b1969e0bdf5cde04a165b847144756b28495788
cvssv3.1	8.8	https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1754
generic_textual	HIGH	https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1754
cvssv3.1	8.8	https://nvd.nist.gov/vuln/detail/CVE-2020-2135
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2020-2135
cvssv3.1	8.8	http://www.openwall.com/lists/oss-security/2020/03/09/1
generic_textual	HIGH	http://www.openwall.com/lists/oss-security/2020/03/09/1

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2135.json
		https://api.first.org/data/v1/epss?cve=CVE-2020-2135
		https://github.com/jenkinsci/script-security-plugin
		https://github.com/jenkinsci/script-security-plugin/commit/5b1969e0bdf5cde04a165b847144756b28495788
		https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1754
		https://nvd.nist.gov/vuln/detail/CVE-2020-2135
		http://www.openwall.com/lists/oss-security/2020/03/09/1
1819078		https://bugzilla.redhat.com/show_bug.cgi?id=1819078
GHSA-qvhf-3567-pc4v		https://github.com/advisories/GHSA-qvhf-3567-pc4v
RHSA-2020:2478		https://access.redhat.com/errata/RHSA-2020:2478
RHSA-2020:2737		https://access.redhat.com/errata/RHSA-2020:2737
RHSA-2020:3616		https://access.redhat.com/errata/RHSA-2020:3616

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-2135.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/jenkinsci/script-security-plugin

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/jenkinsci/script-security-plugin/commit/5b1969e0bdf5cde04a165b847144756b28495788

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1754

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2020-2135

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at http://www.openwall.com/lists/oss-security/2020/03/09/1

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.399
EPSS Score	0.00183
Published At	April 1, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:10:42.018153+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qvhf-3567-pc4v/GHSA-qvhf-3567-pc4v.json	38.0.0