Jenkins Script Security — known CVE vulnerabilities
Every CVE whose affected-product data names Jenkins Script Security, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (35)
CVE-2020-2279 — CVSS 9.9 (critical): A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to define sandboxed…
CVE-2022-43404 — CVSS 9.9 (critical): A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script…
CVE-2022-43403 — CVSS 9.9 (critical): A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin…
CVE-2019-10431 — CVSS 9.9 (critical): A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions…
CVE-2022-43401 — CVSS 9.9 (critical): A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security…
CVE-2024-34144 — CVSS 9.8 (critical): A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier…
CVE-2019-1003040 — CVSS 9.8 (critical): A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in…
CVE-2019-16538 — CVSS 8.8 (high): A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions…
CVE-2019-10355 — CVSS 8.8 (high): A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers…
CVE-2019-10356 — CVSS 8.8 (high): A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of method pointer expressions…
CVE-2023-24422 — CVSS 8.8 (high): A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows…
CVE-2020-2110 — CVSS 8.8 (high): Sandbox protection in Jenkins Script Security Plugin 1.69 and earlier could be circumvented during the script compilation phase by applying…
CVE-2020-2134 — CVSS 8.8 (high): Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted constructor calls and crafted…
CVE-2020-2135 — CVSS 8.8 (high): Sandbox protection in Jenkins Script Security Plugin 1.70 and earlier could be circumvented through crafted method calls on objects that…
CVE-2026-57280 — CVSS 8.8 (high): Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed…
CVE-2017-1000107 — CVSS 8.8 (high): Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor…
CVE-2024-34145 — CVSS 8.8 (high): A sandbox bypass vulnerability involving sandbox-defined classes that shadow specific non-sandbox-defined classes in Jenkins Script…
CVE-2018-1000865 — CVSS 8.8 (high): A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/…
CVE-2019-1003005 — CVSS 8.8 (high): A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecuri…
CVE-2019-1003000 — CVSS 8.8 (high): A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandb…
CVE-2019-1003024 — CVSS 8.8 (high): A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows…
CVE-2026-57281 — CVSS 7.5 (high): Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions…
CVE-2022-45379 — CVSS 7.5 (high): Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it…
CVE-2016-3102 — CVSS 7.3 (high): The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a…
CVE-2017-1000505 — CVSS 6.5 (medium): In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a…
CVE-2017-1000095 — CVSS 6.5 (medium): The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(…
CVE-2020-2190 — CVSS 5.4 (medium): Jenkins Script Security Plugin 1.72 and earlier does not correctly escape pending or approved classpath entries on the In-process Script…
CVE-2022-30946 — CVSS 4.3 (medium): A cross-site request forgery (CSRF) vulnerability in Jenkins Script Security Plugin 1158.v7c1b_73a_69a_08 and earlier allows attackers to…
CVE-2024-52549 — CVSS 4.3 (medium): Jenkins Script Security Plugin 1367.vdf2fc45f229c and earlier, except 1365.1367.va_3b_b_89f8a_95b_ and 1362.1364.v4cf2dc5d8776, does not…
CVE-2026-42519 — CVSS 4.3 (medium): A missing permission check in Jenkins Script Security Plugin 1399.ve6a_66547f6e1 and earlier allows attackers with Overall/Read permission…
CVE-2019-10399 — CVSS 4.2 (medium): A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property…
CVE-2019-10400 — CVSS 4.2 (medium): A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of subexpressions in increment…
CVE-2019-10393 — CVSS 4.2 (medium): A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of method names in method call…
CVE-2019-10394 — CVSS 4.2 (medium): A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property…