CVE-2024-34145
Description
A sandbox bypass vulnerability involving sandbox-defined classes that shadow specific non-sandbox-defined classes in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A sandbox bypass vulnerability in Jenkins Script Security Plugin allows attackers with sandbox script permissions to execute arbitrary code on the controller JVM.
Vulnerability
Overview
The Jenkins Script Security Plugin provides a sandbox feature to safely execute low-privilege scripts, including Pipelines. A sandbox bypass vulnerability exists in versions 1335.vf07d9ce377a_e and earlier, where Groovy classes defined inside the sandbox can shadow specific non-sandbox-defined classes [1]. By creating a sandbox-defined class that shadows a class outside the sandbox, an attacker can circumvent the sandbox interceptor and instantiate arbitrary subclassable types, breaking the protection boundaries.
Exploitation
Prerequisites
To exploit this vulnerability, an attacker must have permission to define and run sandboxed scripts, which is typically granted to users with Job/Configure or similar privileges in Jenkins [3]. The attack leverages crafted Groovy code that defines a class with the same fully qualified name as a non-sandbox class, effectively taking advantage of the sandbox's insufficient filtering of shadowed classes [2]. No additional network access or authentication bypass is required beyond the initial script execution capability.
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the Jenkins controller JVM [1]. This can lead to full compromise of the Jenkins controller, including access to secrets, credentials, and the ability to manipulate builds, jobs, and configurations. The vulnerability is rated High severity due to the potential for complete system takeover [3].
Mitigation
Jenkins released Script Security Plugin version 1336.vf33a_a_9863911, which adds additional restrictions and sanity checks to prevent super constructor calls and ensures that classes in shadowable packages are no longer ignored by the sandbox [3]. Users should upgrade to this version or later immediately. There are no known workarounds for this vulnerability.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:script-securityMaven | < 1336.vf33a | 1336.vf33a |
Affected products
8- osv-coords7 versionspkg:apk/chainguard/jenkinspkg:apk/chainguard/jenkins-compatpkg:apk/chainguard/jenkins-remotingpkg:apk/wolfi/jenkinspkg:apk/wolfi/jenkins-compatpkg:apk/wolfi/jenkins-remotingpkg:maven/org.jenkins-ci.plugins/script-security
< 2.458-r0+ 6 more
- (no CPE)range: < 2.458-r0
- (no CPE)range: < 2.458-r0
- (no CPE)range: < 2.458-r0
- (no CPE)range: < 2.458-r0
- (no CPE)range: < 2.458-r0
- (no CPE)range: < 2.458-r0
- (no CPE)range: < 1336.vf33a
- Jenkins Project/Jenkins Script Security Pluginv5Range: 0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-2g4q-9vm9-9fw4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-34145ghsaADVISORY
- www.jenkins.io/security/advisory/2024-05-02/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2024/05/02/3ghsaWEB
News mentions
1- Jenkins Security Advisory 2024-05-02Jenkins Security Advisories · May 2, 2024