CVE-2024-34144

Vulnerability

Overview

CVE-2024-34144 is a sandbox bypass vulnerability in the Jenkins Script Security Plugin, affecting versions 1335.vf07d9ce377a_e and earlier [1]. The official Jenkins advisory describes that crafted constructor bodies can be used to invoke other constructors in a way that bypasses the sandbox's interception mechanism [4]. This occurs because the sandbox does not properly intercept calls made to other constructors using 'this' within a constructor body [4].

Exploitation

Details

An attacker must have permission to define and run sandboxed scripts, including Pipeline scripts [2]. The Script Security Plugin is designed to allow low-privileged users to define scripts that are generally safe to execute, with the sandbox intercepting calls to various API elements and checking allowlists [4]. However, by crafting a constructor body that invokes other constructors via implicit casts, an attacker can construct any subclassable type and execute arbitrary code [4].

Impact

Successful exploitation allows an attacker to bypass the sandbox protection entirely and execute arbitrary code in the context of the Jenkins controller JVM [2]. This means the attacker can perform any action the Jenkins controller can, including changing security settings, running shell commands, or accessing sensitive data [1].

Mitigation

The vulnerability is fixed in Script Security Plugin version 1336.vf33a_a_9863911 [3]. The fix adds additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox [4]. Specifically, calls to other constructors using 'this' are now intercepted, and classes in packages that can be shadowed by Groovy-defined classes are no longer ignored by the sandbox when intercepting super constructor calls [4].