Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:maven/org.jenkins-ci.plugins/script-security@1336.vf33a
Typemaven
Namespaceorg.jenkins-ci.plugins
Namescript-security
Version1336.vf33a
Qualifiers
Subpath
Is_vulnerablefalse
Next_non_vulnerable_version1368.vb
Latest_non_vulnerable_version1402.v94c9ce464861
Affected_by_vulnerabilities
Fixing_vulnerabilities
0
url VCID-acdw-t3mm-wbhb
vulnerability_id VCID-acdw-t3mm-wbhb
summary 
Jenkins Script Security Plugin sandbox bypass vulnerability
Jenkins Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed.

Multiple sandbox bypass vulnerabilities exist in Script Security Plugin 1335.vf07d9ce377a_e and earlier:

- Crafted constructor bodies that invoke other constructors can be used to construct any subclassable type via implicit casts.

- Sandbox-defined Groovy classes that shadow specific non-sandbox-defined classes can be used to construct any subclassable type.

These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34145.json
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34145.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-34145
reference_id
reference_type
scores
0
value 0.0006
scoring_system epss
scoring_elements 0.18618
published_at 2026-05-07T12:55:00Z
1
value 0.0006
scoring_system epss
scoring_elements 0.1891
published_at 2026-04-12T12:55:00Z
2
value 0.0006
scoring_system epss
scoring_elements 0.18859
published_at 2026-04-13T12:55:00Z
3
value 0.0006
scoring_system epss
scoring_elements 0.18811
published_at 2026-04-16T12:55:00Z
4
value 0.0006
scoring_system epss
scoring_elements 0.18823
published_at 2026-04-18T12:55:00Z
5
value 0.0006
scoring_system epss
scoring_elements 0.18839
published_at 2026-04-21T12:55:00Z
6
value 0.0006
scoring_system epss
scoring_elements 0.18727
published_at 2026-04-24T12:55:00Z
7
value 0.0006
scoring_system epss
scoring_elements 0.18706
published_at 2026-04-26T12:55:00Z
8
value 0.0006
scoring_system epss
scoring_elements 0.18662
published_at 2026-04-29T12:55:00Z
9
value 0.0006
scoring_system epss
scoring_elements 0.18534
published_at 2026-05-05T12:55:00Z
10
value 0.0006
scoring_system epss
scoring_elements 0.19042
published_at 2026-04-02T12:55:00Z
11
value 0.0006
scoring_system epss
scoring_elements 0.19094
published_at 2026-04-04T12:55:00Z
12
value 0.0006
scoring_system epss
scoring_elements 0.18816
published_at 2026-04-07T12:55:00Z
13
value 0.0006
scoring_system epss
scoring_elements 0.18896
published_at 2026-04-08T12:55:00Z
14
value 0.0006
scoring_system epss
scoring_elements 0.18951
published_at 2026-04-09T12:55:00Z
15
value 0.0006
scoring_system epss
scoring_elements 0.18957
published_at 2026-04-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-34145
2
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-34145
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-34145
3
reference_url https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-02T15:32:34Z/
url https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
4
reference_url http://www.openwall.com/lists/oss-security/2024/05/02/3
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2024-05-02T15:32:34Z/
url http://www.openwall.com/lists/oss-security/2024/05/02/3
5
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2278821
reference_id 2278821
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2278821
6
reference_url https://github.com/advisories/GHSA-2g4q-9vm9-9fw4
reference_id GHSA-2g4q-9vm9-9fw4
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2g4q-9vm9-9fw4
7
reference_url https://access.redhat.com/errata/RHSA-2024:3634
reference_id RHSA-2024:3634
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3634
8
reference_url https://access.redhat.com/errata/RHSA-2024:3635
reference_id RHSA-2024:3635
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3635
9
reference_url https://access.redhat.com/errata/RHSA-2024:3636
reference_id RHSA-2024:3636
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3636
10
reference_url https://access.redhat.com/errata/RHSA-2024:4597
reference_id RHSA-2024:4597
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4597
fixed_packages
0
url pkg:maven/org.jenkins-ci.plugins/script-security@1336.vf33a
purl pkg:maven/org.jenkins-ci.plugins/script-security@1336.vf33a
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/script-security@1336.vf33a
aliases CVE-2024-34145, GHSA-2g4q-9vm9-9fw4
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-acdw-t3mm-wbhb
1
url VCID-qnbx-c635-hqer
vulnerability_id VCID-qnbx-c635-hqer
summary 
Jenkins Script Security Plugin has sandbox bypass vulnerability involving crafted constructor bodies
Jenkins Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed.

Multiple sandbox bypass vulnerabilities exist in Script Security Plugin 1335.vf07d9ce377a_e and earlier:

- Crafted constructor bodies that invoke other constructors can be used to construct any subclassable type via implicit casts.

- Sandbox-defined Groovy classes that shadow specific non-sandbox-defined classes can be used to construct any subclassable type.

These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

- These issues are caused by an incomplete fix of [SECURITY-2824](https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)).

Script Security Plugin 1336.vf33a_a_9863911 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox:

- Calls to to other constructors using this are now intercepted by the sandbox.

- Classes in packages that can be shadowed by Groovy-defined classes are no longer ignored by the sandbox when intercepting super constructor calls.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34144.json
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34144.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-34144
reference_id
reference_type
scores
0
value 0.50053
scoring_system epss
scoring_elements 0.9784
published_at 2026-05-07T12:55:00Z
1
value 0.50053
scoring_system epss
scoring_elements 0.97815
published_at 2026-04-08T12:55:00Z
2
value 0.50053
scoring_system epss
scoring_elements 0.97821
published_at 2026-04-11T12:55:00Z
3
value 0.50053
scoring_system epss
scoring_elements 0.97806
published_at 2026-04-02T12:55:00Z
4
value 0.50053
scoring_system epss
scoring_elements 0.97808
published_at 2026-04-04T12:55:00Z
5
value 0.50053
scoring_system epss
scoring_elements 0.97811
published_at 2026-04-07T12:55:00Z
6
value 0.50053
scoring_system epss
scoring_elements 0.97818
published_at 2026-04-09T12:55:00Z
7
value 0.50053
scoring_system epss
scoring_elements 0.97836
published_at 2026-04-29T12:55:00Z
8
value 0.50053
scoring_system epss
scoring_elements 0.97831
published_at 2026-04-26T12:55:00Z
9
value 0.50053
scoring_system epss
scoring_elements 0.97832
published_at 2026-04-21T12:55:00Z
10
value 0.50053
scoring_system epss
scoring_elements 0.97833
published_at 2026-04-18T12:55:00Z
11
value 0.50053
scoring_system epss
scoring_elements 0.9783
published_at 2026-04-24T12:55:00Z
12
value 0.50053
scoring_system epss
scoring_elements 0.97824
published_at 2026-04-13T12:55:00Z
13
value 0.50053
scoring_system epss
scoring_elements 0.97823
published_at 2026-04-12T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-34144
2
reference_url https://github.com/jenkinsci/script-security-plugin
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jenkinsci/script-security-plugin
3
reference_url https://github.com/jenkinsci/script-security-plugin/releases/tag/1336.vf33a_a_9863911
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jenkinsci/script-security-plugin/releases/tag/1336.vf33a_a_9863911
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-34144
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-34144
5
reference_url https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-02T15:28:35Z/
url https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
6
reference_url http://www.openwall.com/lists/oss-security/2024/05/02/3
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-02T15:28:35Z/
url http://www.openwall.com/lists/oss-security/2024/05/02/3
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2278820
reference_id 2278820
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2278820
8
reference_url https://github.com/advisories/GHSA-v63g-v339-2673
reference_id GHSA-v63g-v339-2673
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v63g-v339-2673
9
reference_url https://access.redhat.com/errata/RHSA-2024:3634
reference_id RHSA-2024:3634
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3634
10
reference_url https://access.redhat.com/errata/RHSA-2024:3635
reference_id RHSA-2024:3635
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3635
11
reference_url https://access.redhat.com/errata/RHSA-2024:3636
reference_id RHSA-2024:3636
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3636
12
reference_url https://access.redhat.com/errata/RHSA-2024:4597
reference_id RHSA-2024:4597
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4597
13
reference_url https://access.redhat.com/errata/RHSA-2024:8886
reference_id RHSA-2024:8886
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8886
fixed_packages
0
url pkg:maven/org.jenkins-ci.plugins/script-security@1336.vf33a
purl pkg:maven/org.jenkins-ci.plugins/script-security@1336.vf33a
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/script-security@1336.vf33a
aliases CVE-2024-34144, GHSA-v63g-v339-2673
risk_score 4.4
exploitability 0.5
weighted_severity 8.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qnbx-c635-hqer
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/script-security@1336.vf33a