CVE-2020-2109 — Improper Input Validation in Jenkins Pipeline: Groovy Plugin

Description

Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in CPS-transformed methods.

How to fix CVE-2020-2109

To remediate CVE-2020-2109, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.plugins.workflow:workflow-cps—upgrade to 2.79 or later

Is CVE-2020-2109 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.79

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2109
WEBgithub.com/jenkinsci/workflow-cps-plugin/commit/41cb4e05eed6a901d0c8a8b0a460111a64c5e179
WEBgithub.com/jenkinsci/workflow-cps-plugin/commit/90b7f403882e1cab1dec49a011e377f440f8e003
WEBjenkins.io/security/advisory/2020-02-12/#SECURITY-1710