CVE-2024-34144

CRITICAL

Jenkins Script Security Plugin <=1335.vf07d9ce377a_e - Sandbox Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2024-34144. PoCs published by MXWXZ.

AI-analyzed exploit summary The repository contains functional exploit code for CVE-2024-34144, demonstrating deserialization-based arbitrary file read and write capabilities. The PoC uses crafted Groovy scripts to interact with vulnerable endpoints, enabling data exfiltration and potential RCE.

Description

A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Exploits (1)

nomisec WORKING POC 2 stars
by MXWXZ · poc
https://github.com/MXWXZ/CVE-2024-34144

The repository contains functional exploit code for CVE-2024-34144, demonstrating deserialization-based arbitrary file read and write capabilities. The PoC uses crafted Groovy scripts to interact with vulnerable endpoints, enabling data exfiltration and potential RCE.

Classification
Working Poc 90%
Attack Type
Deserialization
Complexity
Moderate
Reliability
Reliable
Target: Unknown (likely a Groovy-based application)
No auth needed
Prerequisites: Network access to the target · Vulnerable Groovy-based application
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.4808
EPSS Percentile 98.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-693
Status published
Products (2)
jenkins/script_security < 1335.vf07d9ce377a_e
org.jenkins-ci.plugins/script-security 0 - 1336.vf33aMaven
Published May 02, 2024
Tracked Since Feb 18, 2026