8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-52554

GHSA ID

GHSA-7845-crfj-phc4

EPSS Score

0.31167%

CWE

CWE-862

Published

11/13/2024

Updated

11/14/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-52554

CVE-2024-52554: Script security bypass vulnerability in Jenkins Shared Library Version Override Plugin

Jenkins Shared Library Version Override Plugin 17.v786074c9fce7 and earlier declares folder-scoped library overrides as trusted, so that they're not executed in the Script Security sandbox, allowing attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection. This allows attackers with Item/Configure permission on a folder to configure a folder-scoped library override that runs without sandbox protection. Shared Library Version Override Plugin 19.v3a_c975738d4a_ declares folder-scoped library overrides as untrusted, so that they’re executed in the Script Security sandbox.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-52554

CVE-2024-52554:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-52554

GHSA ID

GHSA-7845-crfj-phc4

EPSS Score

0.31167%

CWE

CWE-862

Published

11/13/2024

Updated

11/14/2024

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.jenkins.plugins:shared-library-version-override	maven	< 19.v3a	19.v3a

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from folder-scoped library overrides being declared as trusted in vulnerable versions. The key function would be the one responsible for setting the 'trusted' flag for these overrides. Jenkins plugin architecture typically uses methods like isTrusted() in library configuration classes to control sandbox execution. The patch explicitly changes this trust designation, indicating this was the vulnerable point. While exact code isn't available, the pattern matches Jenkins' security model and the advisory's technical description.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-52554: Script security bypass vulnerability in Jenkins Shared Library Version Override Plugin

CVE-2024-52554:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

8.8

8.8

Basic Information

Basic Information

CVE-2024-52554: Script security bypass vulnerability in Jenkins Shared Library Version Override Plugin

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI