-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability stemmed from two key issues: 1) Missing constructor whitelisting in JobDslWhitelist allowed arbitrary class instantiation, and 2) Insufficient sandbox wrapping during script parsing/execution in SandboxDslScriptLoader. The fix added constructor checks (permitsConstructor) and wrapped critical phases with GroovySandbox.runInSandbox. The test case security1342.groovy demonstrates constructor-based exploitation that would have been blocked post-patch.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:job-dsl | maven | < 1.72 | 1.72 |