Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script.
A flaw was found in the Jenkins Script Security Plugin. Attackers with the ability to run sandboxed Groovy scripts can exploit this vulnerability to execute arbitrary code outside the sandbox environment. This is due to the plugin's failure to reject Groovy Abstract Syntax Tree (AST) transformation annotations that include an extensions member, allowing unauthorized script execution if a suitable script exists on the classpath.
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.