Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection.
Metrics
Affected Vendors & Products
References
History
Mon, 13 Jul 2026 06:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-264 CWE-730 |
Sat, 11 Jul 2026 00:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Jenkins Script Security Plugin Sandbox Bypass via Implicit Type Cast in Groovy Loops | jenkins-script-security-plugin: Jenkins Script Security Plugin: Sandbox bypass leading to arbitrary code execution |
| Weaknesses | CWE-1287 | |
| References |
| |
| Metrics |
threat_severity
|
threat_severity
|
Wed, 24 Jun 2026 17:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Jenkins Project
Jenkins Project jenkins Script Security Plugin |
|
| Vendors & Products |
Jenkins Project
Jenkins Project jenkins Script Security Plugin |
Wed, 24 Jun 2026 15:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Title | Jenkins Script Security Plugin Sandbox Bypass via Implicit Type Cast in Groovy Loops | |
| Weaknesses | CWE-264 CWE-730 |
Wed, 24 Jun 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-693 | |
| Metrics |
cvssV3_1
|
Wed, 24 Jun 2026 13:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection. | |
| References |
|
Status: PUBLISHED
Assigner: jenkins
Published: 2026-06-24T13:20:04.064Z
Updated: 2026-06-24T13:58:16.696Z
Reserved: 2026-06-24T08:41:44.357Z
Link: CVE-2026-57280
Updated: 2026-06-24T13:51:35.385Z
No data.