<Vulnerability name="CVE-2026-57280">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Important</ThreatSeverity>
    <PublicDate>2026-06-24T13:20:04</PublicDate>
    <Bugzilla id="2492199" url="https://bugzilla.redhat.com/show_bug.cgi?id=2492199" xml:lang="en:us">
jenkins-script-security-plugin: Jenkins Script Security Plugin: Sandbox bypass leading to arbitrary code execution
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>8.8</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-1287</CWE>
    <Details xml:lang="en:us" source="Mitre">
Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not intercept the implicit type casts applied to the elements of typed for-each loops in sandboxed Groovy scripts, allowing attackers able to provide such scripts to invoke arbitrary constructors and bypass the sandbox protection.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in Jenkins Script Security Plugin. This vulnerability allows attackers who can provide sandboxed Groovy scripts to bypass security sandbox protections. By exploiting a failure to properly intercept implicit type casts in typed for-each loops, an attacker can invoke arbitrary constructors, potentially leading to arbitrary code execution within the Jenkins environment.
    </Details>
    <Statement xml:lang="en:us">
Red Hat rates this as an Important vulnerability in the Jenkins Script Security Plugin. Attackers with the ability to provide sandboxed Groovy scripts can bypass sandbox protections due to improper handling of implicit type casts in typed for-each loops, allowing arbitrary constructor invocation and potential code execution within the Jenkins JVM. The scope is unchanged (S:U) because the sandbox and the Jenkins controller share the same security authority — a sandbox escape executes code in the same context rather than crossing a trust boundary to a separate system.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
    </Mitigation>
    <PackageState cpe="cpe:/a:redhat:ocp_tools">
        <ProductName>OpenShift Developer Tools and Services</ProductName>
        <FixState>Affected</FixState>
        <PackageName>jenkins</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ocp_tools">
        <ProductName>OpenShift Developer Tools and Services</ProductName>
        <FixState>Affected</FixState>
        <PackageName>jenkins-2-plugins</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ocp_tools">
        <ProductName>OpenShift Developer Tools and Services</ProductName>
        <FixState>Affected</FixState>
        <PackageName>ocp-tools-4/jenkins-agent-base-rhel9</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ocp_tools">
        <ProductName>OpenShift Developer Tools and Services</ProductName>
        <FixState>Affected</FixState>
        <PackageName>ocp-tools-4/jenkins-rhel8</PackageName>
    </PackageState>
    <PackageState cpe="cpe:/a:redhat:ocp_tools">
        <ProductName>OpenShift Developer Tools and Services</ProductName>
        <FixState>Affected</FixState>
        <PackageName>ocp-tools-4/jenkins-rhel9</PackageName>
    </PackageState>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-57280
https://nvd.nist.gov/vuln/detail/CVE-2026-57280
https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3792
    </References>
</Vulnerability>