CVE-2023-24422

HIGH

Jenkins Script Security Plugin <1228.vd93135a_2fb_25 - Sandbox Bypass via Map Constructors

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-24422. PoCs published by shoucheng3.

AI-analyzed exploit summary This repository contains the source code for the Jenkins Script Security Plugin, including patches and changelog entries related to CVE-2023-24422. It provides technical details about the vulnerability and its fixes but does not include functional exploit code.

Description

A sandbox bypass vulnerability involving map constructors in Jenkins Script Security Plugin 1228.vd93135a_2fb_25 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Exploits (1)

nomisec WRITEUP
by shoucheng3 · poc
https://github.com/shoucheng3/jenkinsci__script-security-plugin_CVE-2023-24422_1228.vd93135a_2fb_25

This repository contains the source code for the Jenkins Script Security Plugin, including patches and changelog entries related to CVE-2023-24422. It provides technical details about the vulnerability and its fixes but does not include functional exploit code.

Classification
Writeup 90%
Attack Type
Other
Complexity
Moderate
Reliability
Theoretical
Target: Jenkins Script Security Plugin
No auth needed
Prerequisites: Access to Jenkins instance with vulnerable plugin
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Scores

CVSS v3 8.8
EPSS 0.0004
EPSS Percentile 12.1%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-78
Status published
Products (2)
jenkins/script_security < 1229.v4880b_b_e905a_6
org.jenkins-ci.plugins/script-security 0 - 1229.v4880bMaven
Published Jan 26, 2023
Tracked Since Feb 18, 2026