8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2134

GHSA ID

GHSA-gj3q-p8cm-26rm

EPSS Score

0.40535%

CWE

CWE-693

Published

5/24/2022

Updated

12/22/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2134

CVE-2020-2134: Sandbox bypass vulnerability in Script Security Plugin

Sandbox protection in Script Security Plugin 1.70 and earlier can be circumvented through:

Crafted constructor calls and bodies (due to an incomplete fix of SECURITY-582)
Crafted method calls on objects that implement GroovyInterceptable

This allows attackers able to specify and run sandboxed scripts to execute arbitrary code in the context of the Jenkins controller JVM.

Script Security Plugin 1.71 has additional restrictions and sanity checks to ensure that super constructors cannot be constructed without being intercepted by the sandbox. In addition, it also intercepts method calls on objects that implement GroovyInterceptable as calls to GroovyObject#invokeMethod(String, Object), which is on the list of dangerous signatures and should not be approved for use in the sandbox.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2134

GHSA ID

GHSA-gj3q-p8cm-26rm

EPSS Score

0.40535%

CWE

CWE-693

Published

5/24/2022

Updated

12/22/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:script-security	maven	< 1.7.1	1.7.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from two key flaws: 1) GroovyInterceptable method calls were not forced through the invokeMethod() gateway, allowing arbitrary method execution, and 2) synthetic constructor wrappers for super/this calls were not blacklisted, enabling direct unsafe constructor invocation. The commit addresses these by adding GroovyInterceptable handling in method dispatch and blacklisting the dangerous constructors. The test cases confirm these vectors were exploitable in vulnerable versions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*n**ox prot**tion in S*ript S**urity Plu*in *.** *n* **rli*r **n ** *ir*umv*nt** t*rou**: - *r**t** *onstru*tor **lls *n* *o*i*s (*u* to *n in*ompl*t* *ix o* [S**URITY-***](*ttps://www.j*nkins.io/s**urity/**visory/****-**-**/#sup*r-*onstru*tor-**lls

Reasoning

T** vuln*r**ility st*mm** *rom two k*y *l*ws: *) `*roovyInt*r**pt**l*` m*t*o* **lls w*r* not *or*** t*rou** t** `invok*M*t*o*()` **t*w*y, *llowin* *r*itr*ry m*t*o* *x**ution, *n* *) synt**ti* *onstru*tor wr*pp*rs *or sup*r/t*is **lls w*r* not *l**kli

8.8

Basic Information

Concerned about an active attack path?

CVE-2020-2134: Sandbox bypass vulnerability in Script Security Plugin

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI