Skip to main content

Pipeline CVE-2020-2109

HIGH
Improper Input Validation (CWE-20)
2020-02-12 jenkinsci-cert@googlegroups.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
CVE Published
Feb 12, 2020 - 15:15 nvd
HIGH 8.8

DescriptionNVD

Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.

AnalysisAI

Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified under CWE-20. Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods. Affected products include: Jenkins Pipeline\.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003030 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/

CVE-2022-43402 CRITICAL
9.9 Oct 19

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pi

CVE-2019-1003041 CRITICAL
9.8 Mar 28

A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary

CVE-2017-1000096 HIGH
8.8 Oct 05

Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instanc

CVE-2022-43407 HIGH
8.8 Oct 19

Jenkins Pipeline: Input Step Plugin 451.vf1a_a_4f405289 and earlier does not restrict or sanitize the optionally specifi

CVE-2020-2166 HIGH
8.8 Mar 25

Jenkins Pipeline: AWS Steps Plugin 1.40 and earlier does not configure its YAML parser to prevent the instantiation of a

CVE-2018-1000866 HIGH
8.8 Dec 10

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/ko

CVE-2026-40938 HIGH
8.5 Apr 21

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. From 1.0.0 to before 1.11.0,

CVE-2022-30945 HIGH
8.5 May 17

Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath

CVE-2022-28155 HIGH
8.1 Mar 29

Jenkins Pipeline: Phoenix AutoTest Plugin 1.3 and earlier does not configure its XML parser to prevent XML external enti

Share

CVE-2020-2109 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy