Login Sign Up

CVE-2020-2279

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2020-2279 is a critical sandbox bypass vulnerability in Jenkins Script Security Plugin that allows attackers with permission to define sandboxed scripts to craft return values or script bindings that escape the sandbox and execute arbitrary code on the Jenkins controller JVM. This affects Jenkins administrators and users with script definition permissions. The vulnerability enables full compromise of the Jenkins controller.

💻 Affected Systems

Products:
  • Jenkins Script Security Plugin
Versions: 1.74 and earlier
Operating Systems: All platforms running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker to have 'Run Scripts' permission or equivalent. Jenkins instances with script security enabled are vulnerable.

📦 What is this software?

Script Security by Jenkins

View all CVEs affecting Script Security →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Jenkins controller with full administrative access, allowing installation of backdoors, credential theft, lateral movement, and persistent access to the entire CI/CD pipeline.

🟠

Likely Case

Attackers with script permissions gain full code execution on the controller, enabling data exfiltration, pipeline manipulation, and deployment of malicious artifacts.

🟢

If Mitigated

With proper access controls limiting script permissions to trusted users only, impact is reduced but still critical if any authorized user is compromised.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access with script permissions. Public proof-of-concept exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Script Security Plugin 1.75 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2020-09-23/#SECURITY-2020

Restart Required: Yes

Instructions:

1. Update Jenkins Script Security Plugin to version 1.75 or later via Jenkins Plugin Manager. 2. Restart Jenkins service. 3. Verify plugin version in Installed Plugins list.

🔧 Temporary Workarounds

Restrict Script Permissions

all

Temporarily remove 'Run Scripts' permission from all non-essential users until patching is complete.

Navigate to Jenkins > Manage Jenkins > Configure Global Security > Matrix-based security or Role-based strategy

🧯 If You Can't Patch

  • Implement strict access controls to limit script permissions to absolutely necessary administrators only
  • Monitor Jenkins logs for unusual script execution patterns and implement network segmentation

🔍 How to Verify

Check if Vulnerable:

Check Jenkins Plugin Manager for Script Security Plugin version. If version is 1.74 or earlier, system is vulnerable.

Check Version:

Check via Jenkins web UI: Manage Jenkins > Plugin Manager > Installed plugins, or check JENKINS_HOME/plugins/script-security/META-INF/MANIFEST.MF

Verify Fix Applied:

Verify Script Security Plugin version is 1.75 or later in Jenkins > Manage Jenkins > Plugin Manager > Installed tab.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Groovy script execution patterns in Jenkins logs
  • ScriptSecurity exceptions or sandbox bypass attempts

Network Indicators:

  • Unexpected outbound connections from Jenkins controller
  • Unusual API calls to Jenkins script endpoints

SIEM Query:

source="jenkins.log" AND ("script-security" OR "sandbox" OR "Groovy") AND ("bypass" OR "exception" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2020-2279
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Published: September 23, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON