Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-qnbx-c635-hqer
Summary
Jenkins Script Security Plugin has sandbox bypass vulnerability involving crafted constructor bodies
Jenkins Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed.

Multiple sandbox bypass vulnerabilities exist in Script Security Plugin 1335.vf07d9ce377a_e and earlier:

- Crafted constructor bodies that invoke other constructors can be used to construct any subclassable type via implicit casts.

- Sandbox-defined Groovy classes that shadow specific non-sandbox-defined classes can be used to construct any subclassable type.

These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

- These issues are caused by an incomplete fix of [SECURITY-2824](https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)).

Script Security Plugin 1336.vf33a_a_9863911 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox:

- Calls to to other constructors using this are now intercepted by the sandbox.

- Classes in packages that can be shadowed by Groovy-defined classes are no longer ignored by the sandbox when intercepting super constructor calls.
Aliases
0
alias CVE-2024-34144
1
alias GHSA-v63g-v339-2673
Fixed_packages
0
url pkg:maven/org.jenkins-ci.plugins/script-security@1336.vf33a
purl pkg:maven/org.jenkins-ci.plugins/script-security@1336.vf33a
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/script-security@1336.vf33a
Affected_packages
0
url pkg:rpm/redhat/jenkins@2.440.3.1716387933-3?arch=el8
purl pkg:rpm/redhat/jenkins@2.440.3.1716387933-3?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cnb-4rqk-zbez
1
vulnerability VCID-5qhm-ase5-5qhy
2
vulnerability VCID-6rup-vv6d-eqd8
3
vulnerability VCID-acdw-t3mm-wbhb
4
vulnerability VCID-f8ak-21d8-juff
5
vulnerability VCID-jzn6-bzzf-nugp
6
vulnerability VCID-qnbx-c635-hqer
7
vulnerability VCID-s4j7-r6m7-tyey
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.440.3.1716387933-3%3Farch=el8
1
url pkg:rpm/redhat/jenkins@2.440.3.1716445150-3?arch=el8
purl pkg:rpm/redhat/jenkins@2.440.3.1716445150-3?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cnb-4rqk-zbez
1
vulnerability VCID-5qhm-ase5-5qhy
2
vulnerability VCID-6rup-vv6d-eqd8
3
vulnerability VCID-acdw-t3mm-wbhb
4
vulnerability VCID-f8ak-21d8-juff
5
vulnerability VCID-jzn6-bzzf-nugp
6
vulnerability VCID-qnbx-c635-hqer
7
vulnerability VCID-s4j7-r6m7-tyey
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.440.3.1716445150-3%3Farch=el8
2
url pkg:rpm/redhat/jenkins@2.440.3.1716445200-3?arch=el8
purl pkg:rpm/redhat/jenkins@2.440.3.1716445200-3?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cnb-4rqk-zbez
1
vulnerability VCID-5qhm-ase5-5qhy
2
vulnerability VCID-6rup-vv6d-eqd8
3
vulnerability VCID-acdw-t3mm-wbhb
4
vulnerability VCID-f8ak-21d8-juff
5
vulnerability VCID-jzn6-bzzf-nugp
6
vulnerability VCID-qnbx-c635-hqer
7
vulnerability VCID-s4j7-r6m7-tyey
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.440.3.1716445200-3%3Farch=el8
3
url pkg:rpm/redhat/jenkins@2.440.3.1718879390-3?arch=el8
purl pkg:rpm/redhat/jenkins@2.440.3.1718879390-3?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cnb-4rqk-zbez
1
vulnerability VCID-5qhm-ase5-5qhy
2
vulnerability VCID-6rup-vv6d-eqd8
3
vulnerability VCID-acdw-t3mm-wbhb
4
vulnerability VCID-f8ak-21d8-juff
5
vulnerability VCID-jzn6-bzzf-nugp
6
vulnerability VCID-qnbx-c635-hqer
7
vulnerability VCID-s4j7-r6m7-tyey
8
vulnerability VCID-tsgr-5mwt-jkeh
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.440.3.1718879390-3%3Farch=el8
4
url pkg:rpm/redhat/jenkins@2.462.3.1730119132-3?arch=el8
purl pkg:rpm/redhat/jenkins@2.462.3.1730119132-3?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bh8-3gb1-4ben
1
vulnerability VCID-jarz-xtnw-ufbz
2
vulnerability VCID-mkf8-a5k3-83fs
3
vulnerability VCID-qnbx-c635-hqer
4
vulnerability VCID-vpxs-mxz3-xqch
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins@2.462.3.1730119132-3%3Farch=el8
5
url pkg:rpm/redhat/jenkins-2-plugins@4.12.1716445211-1?arch=el8
purl pkg:rpm/redhat/jenkins-2-plugins@4.12.1716445211-1?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cnb-4rqk-zbez
1
vulnerability VCID-5qhm-ase5-5qhy
2
vulnerability VCID-6rup-vv6d-eqd8
3
vulnerability VCID-acdw-t3mm-wbhb
4
vulnerability VCID-f8ak-21d8-juff
5
vulnerability VCID-jzn6-bzzf-nugp
6
vulnerability VCID-qnbx-c635-hqer
7
vulnerability VCID-s4j7-r6m7-tyey
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.12.1716445211-1%3Farch=el8
6
url pkg:rpm/redhat/jenkins-2-plugins@4.12.1730119231-1?arch=el8
purl pkg:rpm/redhat/jenkins-2-plugins@4.12.1730119231-1?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1bh8-3gb1-4ben
1
vulnerability VCID-jarz-xtnw-ufbz
2
vulnerability VCID-mkf8-a5k3-83fs
3
vulnerability VCID-qnbx-c635-hqer
4
vulnerability VCID-vpxs-mxz3-xqch
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.12.1730119231-1%3Farch=el8
7
url pkg:rpm/redhat/jenkins-2-plugins@4.13.1716445207-1?arch=el8
purl pkg:rpm/redhat/jenkins-2-plugins@4.13.1716445207-1?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cnb-4rqk-zbez
1
vulnerability VCID-5qhm-ase5-5qhy
2
vulnerability VCID-6rup-vv6d-eqd8
3
vulnerability VCID-acdw-t3mm-wbhb
4
vulnerability VCID-f8ak-21d8-juff
5
vulnerability VCID-jzn6-bzzf-nugp
6
vulnerability VCID-qnbx-c635-hqer
7
vulnerability VCID-s4j7-r6m7-tyey
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.13.1716445207-1%3Farch=el8
8
url pkg:rpm/redhat/jenkins-2-plugins@4.14.1716388016-1?arch=el8
purl pkg:rpm/redhat/jenkins-2-plugins@4.14.1716388016-1?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cnb-4rqk-zbez
1
vulnerability VCID-5qhm-ase5-5qhy
2
vulnerability VCID-6rup-vv6d-eqd8
3
vulnerability VCID-acdw-t3mm-wbhb
4
vulnerability VCID-f8ak-21d8-juff
5
vulnerability VCID-jzn6-bzzf-nugp
6
vulnerability VCID-qnbx-c635-hqer
7
vulnerability VCID-s4j7-r6m7-tyey
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.14.1716388016-1%3Farch=el8
9
url pkg:rpm/redhat/jenkins-2-plugins@4.15.1718879538-1?arch=el8
purl pkg:rpm/redhat/jenkins-2-plugins@4.15.1718879538-1?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3cnb-4rqk-zbez
1
vulnerability VCID-5qhm-ase5-5qhy
2
vulnerability VCID-6rup-vv6d-eqd8
3
vulnerability VCID-acdw-t3mm-wbhb
4
vulnerability VCID-f8ak-21d8-juff
5
vulnerability VCID-jzn6-bzzf-nugp
6
vulnerability VCID-qnbx-c635-hqer
7
vulnerability VCID-s4j7-r6m7-tyey
8
vulnerability VCID-tsgr-5mwt-jkeh
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.15.1718879538-1%3Farch=el8
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34144.json
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-34144.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-34144
reference_id
reference_type
scores
0
value 0.50053
scoring_system epss
scoring_elements 0.9785
published_at 2026-05-14T12:55:00Z
1
value 0.50053
scoring_system epss
scoring_elements 0.97808
published_at 2026-04-04T12:55:00Z
2
value 0.50053
scoring_system epss
scoring_elements 0.97811
published_at 2026-04-07T12:55:00Z
3
value 0.50053
scoring_system epss
scoring_elements 0.97815
published_at 2026-04-08T12:55:00Z
4
value 0.50053
scoring_system epss
scoring_elements 0.97818
published_at 2026-04-09T12:55:00Z
5
value 0.50053
scoring_system epss
scoring_elements 0.97821
published_at 2026-04-11T12:55:00Z
6
value 0.50053
scoring_system epss
scoring_elements 0.97823
published_at 2026-04-12T12:55:00Z
7
value 0.50053
scoring_system epss
scoring_elements 0.97824
published_at 2026-04-13T12:55:00Z
8
value 0.50053
scoring_system epss
scoring_elements 0.9783
published_at 2026-04-24T12:55:00Z
9
value 0.50053
scoring_system epss
scoring_elements 0.97833
published_at 2026-04-18T12:55:00Z
10
value 0.50053
scoring_system epss
scoring_elements 0.97832
published_at 2026-04-21T12:55:00Z
11
value 0.50053
scoring_system epss
scoring_elements 0.97831
published_at 2026-04-26T12:55:00Z
12
value 0.50053
scoring_system epss
scoring_elements 0.97836
published_at 2026-04-29T12:55:00Z
13
value 0.50053
scoring_system epss
scoring_elements 0.9784
published_at 2026-05-07T12:55:00Z
14
value 0.50053
scoring_system epss
scoring_elements 0.97841
published_at 2026-05-11T12:55:00Z
15
value 0.50053
scoring_system epss
scoring_elements 0.97845
published_at 2026-05-12T12:55:00Z
16
value 0.50053
scoring_system epss
scoring_elements 0.97806
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-34144
2
reference_url https://github.com/jenkinsci/script-security-plugin
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jenkinsci/script-security-plugin
3
reference_url https://github.com/jenkinsci/script-security-plugin/releases/tag/1336.vf33a_a_9863911
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jenkinsci/script-security-plugin/releases/tag/1336.vf33a_a_9863911
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-34144
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-34144
5
reference_url https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-02T15:28:35Z/
url https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341
6
reference_url http://www.openwall.com/lists/oss-security/2024/05/02/3
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value 9.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-05-02T15:28:35Z/
url http://www.openwall.com/lists/oss-security/2024/05/02/3
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2278820
reference_id 2278820
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2278820
8
reference_url https://github.com/advisories/GHSA-v63g-v339-2673
reference_id GHSA-v63g-v339-2673
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-v63g-v339-2673
9
reference_url https://access.redhat.com/errata/RHSA-2024:3634
reference_id RHSA-2024:3634
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3634
10
reference_url https://access.redhat.com/errata/RHSA-2024:3635
reference_id RHSA-2024:3635
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3635
11
reference_url https://access.redhat.com/errata/RHSA-2024:3636
reference_id RHSA-2024:3636
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3636
12
reference_url https://access.redhat.com/errata/RHSA-2024:4597
reference_id RHSA-2024:4597
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:4597
13
reference_url https://access.redhat.com/errata/RHSA-2024:8886
reference_id RHSA-2024:8886
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:8886
Weaknesses
0
cwe_id 693
name Protection Mechanism Failure
description The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score7.0 - 9.8
Exploitability0.5
Weighted_severity8.8
Risk_score4.4
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-qnbx-c635-hqer