CVE-2023-25765

CRITICAL

Jenkins Email Extension Plugin <2.93 - Code Injection

Title source: llm

Description

In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

References (2)

Core 2

Core References

Vendor Advisory

https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-2939

Mailing List, Third Party Advisory mailing-list

http://www.openwall.com/lists/oss-security/2023/02/15/4

Scores

CVSS v3 9.9

EPSS 0.0068

EPSS Percentile 71.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-693

Status published

Products (2)

jenkins/email_extension < 2.93.1

org.jenkins-ci.plugins/email-ext 0 - 2.94Maven

Published Feb 15, 2023

Tracked Since Feb 18, 2026