CVE-2024-52554 – This vulnerability in Jenkins Shared Library Ve... (How to Fix)

Q: What is the severity of CVE-2024-52554?

CVE-2024-52554 has a CVSS score of 8.8 (HIGH). This vulnerability in Jenkins Shared Library Version Override Plugin allows attackers with Item/Configure permission on a folder to bypass the Script Security sandbox. This enables execution of arbitrary code without sandbox protection, affecting all Jenkins instances using vulnerable versions of this plugin.

📋 TL;DR

This vulnerability in Jenkins Shared Library Version Override Plugin allows attackers with Item/Configure permission on a folder to bypass the Script Security sandbox. This enables execution of arbitrary code without sandbox protection, affecting all Jenkins instances using vulnerable versions of this plugin.

💻 Affected Systems

Products:

Jenkins Shared Library Version Override Plugin

Versions: 17.v786074c9fce7 and earlier

Operating Systems: All operating systems running Jenkins

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Jenkins with the vulnerable plugin installed and attackers need Item/Configure permission on a folder.

📦 What is this software?

Shared Library Version Override by Jenkins

View all CVEs affecting Shared Library Version Override →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Attackers with folder configuration permissions can execute arbitrary code to steal credentials, modify builds, or disrupt CI/CD pipelines.

🟢

If Mitigated

With proper access controls limiting Item/Configure permissions, impact is reduced to authorized users only.

🌐 Internet-Facing: HIGH if Jenkins is internet-facing and attackers can obtain folder configuration permissions.

🏢 Internal Only: MEDIUM as it requires authenticated access with specific permissions, but could be exploited by malicious insiders or compromised accounts.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access with Item/Configure permission, but the bypass mechanism is straightforward once permissions are obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 18.vb_8c1b_4b_6a_3b_4 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3466

Restart Required: Yes

Instructions:

1. Update Jenkins Shared Library Version Override Plugin to version 18.vb_8c1b_4b_6a_3b_4 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update.

🔧 Temporary Workarounds

Remove vulnerable plugin

all

Uninstall the Shared Library Version Override Plugin if not required

Navigate to Manage Jenkins > Plugin Manager > Installed plugins
Find 'Shared Library Version Override Plugin' and click Uninstall

Restrict folder permissions

all

Limit Item/Configure permissions to trusted administrators only

Navigate to Manage Jenkins > Configure Global Security > Project-based Matrix Authorization Strategy
Remove Item/Configure permissions from non-administrative users

🧯 If You Can't Patch

Immediately restrict Item/Configure permissions to only essential administrators
Monitor for suspicious folder configuration changes and library override activities

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Jenkins: Manage Jenkins > Plugin Manager > Installed plugins > Shared Library Version Override Plugin

Check Version:

curl -s http://jenkins-host/pluginManager/api/json?depth=1 | grep -A5 -B5 'Shared Library Version Override Plugin'

Verify Fix Applied:

Verify plugin version is 18.vb_8c1b_4b_6a_3b_4 or later in Plugin Manager

📡 Detection & Monitoring

Log Indicators:

Unusual folder configuration changes
Library override modifications by non-administrative users
Script security sandbox bypass warnings

Network Indicators:

Unexpected outbound connections from Jenkins server
Unusual API calls to folder configuration endpoints

SIEM Query:

source="jenkins.log" AND ("folder-scoped library override" OR "Script Security sandbox bypass")

📊 Metadata

CVE ID: CVE-2024-52554

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: November 13, 2024

Last Updated: October 3, 2025

🔗 References

https://www.jenkins.io/security/advisory/2024-11-13/#SECURITY-3466 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-52554, you might also want to check these: