-
CVSS Score
-Basic Information
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins.workflow:workflow-cps | maven | < 2.65 | 2.65 |
Miggo AIRoot Cause AnalysisThe vulnerability stems from insufficient sandbox validation during type coercion operations. The pre-patch version of CpsWhitelist.java's permitsStaticMethod explicitly allowed ScriptBytecodeAdapter.asType() calls (used for Groovy type casting) without performing security checks. This let attackers bypass sandbox restrictions by using Groovy's casting syntax (e.g., 'X as Y' or 'Y x = [...]') to invoke dangerous constructors. The patch added Checker.preCheckedCast() validation to enforce security restrictions during these operations, confirming this was the vulnerable code path.