CVE-2023-25765

CRITICAL

Jenkins Email Extension Plugin <2.93 - Code Injection

Title source: llm

Description

In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

References (2)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2023/02/15/4

[Vendor Advisory] https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-2939

Scores

CVSS v3 9.9

EPSS 0.0025

EPSS Percentile 47.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Classification

CWE

CWE-693

Status published

Affected Products (2)

jenkins/email_extension < 2.93.1

org.jenkins-ci.plugins/email-ext < 2.94Maven

Timeline

Published Feb 15, 2023

Tracked Since Feb 18, 2026