Critical severityNVD Advisory· Published Sep 23, 2020· Updated Aug 4, 2024

CVE-2020-2279

Description

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to define sandboxed scripts to provide crafted return values or script binding content that can result in arbitrary code execution on the Jenkins controller JVM.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Script Security Plugin 1.74 and earlier allows sandbox bypass via crafted return values or script bindings, leading to arbitrary code execution.

Vulnerability

Overview

The Jenkins Script Security Plugin provides a sandbox feature that allows low-privileged users to define and run scripts, such as Pipelines, with limited permissions. In version 1.74 and earlier, any calls from outside a sandboxed script to code defined inside a sandboxed script were always allowed. This vulnerability, identified as CVE-2020-2279, allows sandboxed scripts to communicate results through return values or script bindings, which can then be invoked without sandbox protection.

Exploitation

An attacker with permission to define and run sandboxed scripts, including Pipelines, can craft return values or script binding content that contains arbitrary code. When the sandboxed script executes and returns these crafted values, the calling code outside the sandbox will execute the returned code without sandbox restrictions. This bypasses the intended security controls, as the sandbox only validates calls originating from inside the sandbox, not external invocations of sandbox-generated code [3].

Impact

Successful exploitation allows the attacker to execute arbitrary code on the Jenkins controller JVM, effectively bypassing the sandbox protection. This can lead to full compromise of the Jenkins instance, including unauthorized access to sensitive data, configuration changes, and execution of system commands.

Mitigation

Jenkins released Script Security Plugin version 1.75 which prevents code defined inside a sandbox from being invoked outside a sandboxed script [3]. The advisory also recommends updating related plugins like Email Extension Plugin, Warnings Next Generation Plugin, and Warnings Plugin to compatible versions that handle the sandboxed return values correctly. Users should upgrade to Script Security Plugin 1.75 or later immediately [4].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:script-securityMaven	>= 1.67, < 1.75	1.75
org.jenkins-ci.plugins:script-securityMaven	< 1.66.5	1.66.5

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/script-security
Range: >= 1.67, < 1.75
Jenkins project/Jenkins Script Security Pluginv5
Range: unspecified

Patches

79d1e9207c5c

[SECURITY-2020]

https://github.com/jenkinsci/script-security-pluginDevin NusbaumSep 17, 2020via ghsa

commit

2 files changed · +23 −1

pom.xml+1 −1 modified

@@ -63,7 +63,7 @@
     <dependency>
       <groupId>org.kohsuke</groupId>
       <artifactId>groovy-sandbox</artifactId>
-      <version>1.26</version>
+      <version>1.27</version>
       <exclusions>
         <exclusion>
           <groupId>org.codehaus.groovy</groupId>

src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java+22 −0 modified

@@ -1397,6 +1397,28 @@ public void blockIllegalAnnotationsInAnnotations() throws Exception {
                 "new Test().hello\n");
     }
 
+    @Issue("SECURITY-2020")
+    @Test public void unsafeReturnValue() throws Throwable {
+        try {
+            Object result = evaluate(new GenericWhitelist(),
+                    "class Test {\n" +
+                    "  @Override public String toString() {\n" +
+                    "    jenkins.model.Jenkins.get().setSystemMessage('Hello, world!')\n" +
+                    "    'test'\n" +
+                    "  }\n" +
+                    "}\n" + 
+                    "new Test()");
+            // Test.equals and Test.getClass are inherited and not sandbox-transformed, so they can be called outside of the sandbox.
+            assertFalse(result.equals(new Object()));
+            assertThat(result.getClass().getSimpleName(), equalTo("Test"));
+            // Test.toString is defined in the sandbox, so it cannot be called outside of the sandbox.
+            result.toString();
+            fail("Test.toString should throw a SecurityException");
+        } catch (SecurityException e) {
+            assertThat(e.getMessage(), equalTo("Rejecting unsandboxed static method call: jenkins.model.Jenkins.get()"));
+        }
+    }
+
     /**
      * Checks that the annotation is blocked from being used in the provided script whether it is imported or used via
      * fully-qualified class name.

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-ccr8-4xr7-cgj3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-2279ghsaADVISORY
www.openwall.com/lists/oss-security/2020/09/23/1ghsamailing-listx_refsource_MLISTWEB
github.com/CVEProject/cvelist/blob/16860a328d970faa6e4350b0fa446f64a52e52ca/2020/2xxx/CVE-2020-2279.jsonghsaWEB
github.com/jenkinsci/script-security-plugin/commit/79d1e9207c5c359ca779b92f0a290e18c5e2387bghsaWEB
www.jenkins.io/security/advisory/2020-09-23/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2020-09-23
Jenkins Security Advisories · Sep 23, 2020

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000