Script Security Plugin provides a sandbox feature that allows low-privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed. In Script Security Plugin 1228.vd93135a_2fb_25 and earlier, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox. This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-3016
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2023:1655 https://access.redhat.com/errata/RHSA-2023:1655
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2023-24422
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.12 Via RHSA-2023:3195 https://access.redhat.com/errata/RHSA-2023:3195
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2023:3198 https://access.redhat.com/errata/RHSA-2023:3198
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.13 Via RHSA-2023:3299 https://access.redhat.com/errata/RHSA-2023:3299
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.12 Via RHSA-2023:3610 https://access.redhat.com/errata/RHSA-2023:3610
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.13 Via RHSA-2023:6179 https://access.redhat.com/errata/RHSA-2023:6179
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.14 Via RHSA-2023:7288 https://access.redhat.com/errata/RHSA-2023:7288
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.13 Via RHSA-2024:0776 https://access.redhat.com/errata/RHSA-2024:0776
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.14 Via RHSA-2024:0777 https://access.redhat.com/errata/RHSA-2024:0777
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.12 Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2024:0775 https://access.redhat.com/errata/RHSA-2024:0775