CVE-2024-34144 Overview
CVE-2024-34144 is a sandbox bypass vulnerability in the Jenkins Script Security Plugin version 1335.vf07d9ce377a_e and earlier. This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection mechanism and execute arbitrary code in the context of the Jenkins controller JVM. The flaw involves crafted constructor bodies that can circumvent the security sandbox, granting attackers full control over the Jenkins controller.
Critical Impact
Successful exploitation enables arbitrary code execution within the Jenkins controller JVM, potentially compromising the entire CI/CD pipeline infrastructure, build secrets, and connected systems.
Affected Products
- Jenkins Script Security Plugin version 1335.vf07d9ce377a_e and earlier
- Jenkins instances utilizing sandboxed Pipeline scripts
- Jenkins environments where users have permissions to define custom scripts
Discovery Timeline
- 2024-05-02 - CVE-2024-34144 published to NVD
- 2025-10-10 - Last updated in NVD database
Technical Details for CVE-2024-34144
Vulnerability Analysis
This vulnerability represents a Protection Mechanism Failure (CWE-693) in the Jenkins Script Security Plugin's sandbox implementation. The sandbox is designed to allow execution of untrusted Groovy scripts in a restricted environment, preventing potentially malicious code from accessing sensitive Jenkins internals or the underlying system.
The flaw lies in how the sandbox processes constructor bodies. Attackers can craft specific constructor implementations that escape the sandbox boundaries, effectively neutralizing the security controls meant to isolate script execution. Once the sandbox is bypassed, the attacker's code executes with the full privileges of the Jenkins controller JVM, which typically has extensive access to build configurations, credentials, and connected infrastructure.
Root Cause
The root cause is improper validation and restriction of constructor body execution within the Groovy sandbox. The Script Security Plugin's sandbox relies on whitelisting approved methods and blocking dangerous operations. However, the vulnerability allows specially crafted constructor bodies to circumvent these restrictions, demonstrating an incomplete implementation of the sandbox's protection mechanisms for constructor code paths.
Attack Vector
The attack requires network access to a Jenkins instance and permissions to define and run sandboxed scripts (typically through Pipeline definitions). An attacker with these permissions can craft a malicious Groovy script containing a specially constructed class with a constructor body designed to escape the sandbox.
The vulnerability manifests during the execution of sandboxed Groovy code when crafted constructor bodies are processed. See the Jenkins Security Advisory #SECURITY-3341 for detailed technical information about the sandbox bypass mechanism.
Detection Methods for CVE-2024-34144
Indicators of Compromise
- Unusual Pipeline or Job definitions containing complex constructor implementations
- Unexpected process spawning or network connections originating from the Jenkins controller
- Suspicious Groovy script submissions with obfuscated or encoded constructor bodies
- Unauthorized access to credentials or secrets stored in Jenkins
Detection Strategies
- Monitor Jenkins audit logs for new or modified Pipeline definitions by users with script permissions
- Implement script approval workflows and review Groovy scripts for unusual constructor patterns
- Enable Jenkins security audit logging and forward logs to SIEM for correlation analysis
- Deploy runtime monitoring on Jenkins controllers to detect anomalous JVM behavior
Monitoring Recommendations
- Configure alerting for any unapproved script executions or sandbox violations
- Monitor Jenkins system logs for stack traces indicating sandbox escape attempts
- Track changes to Job and Pipeline configurations through version control integration
- Establish baseline behavior for Jenkins controller processes and alert on deviations
How to Mitigate CVE-2024-34144
Immediate Actions Required
- Update Jenkins Script Security Plugin to the latest patched version immediately
- Review and audit all existing Pipeline scripts and sandboxed script definitions
- Restrict permissions for defining and running sandboxed scripts to trusted users only
- Enable Script Security Plugin's script approval feature to manually review all scripts
Patch Information
Jenkins has released a security patch addressing this vulnerability. Organizations should update to the Script Security Plugin version released after 1335.vf07d9ce377a_e. Detailed patch information and remediation guidance is available in the Jenkins Security Advisory #SECURITY-3341. Additional discussion of this vulnerability can be found in the Openwall Mailing List Discussion.
Workarounds
- Disable the ability for untrusted users to create or modify Pipeline scripts until patching is complete
- Implement network segmentation to limit the blast radius if the Jenkins controller is compromised
- Remove or restrict permissions granted via the Overall/Read, Job/Configure, or Pipeline creation permissions for non-administrative users
- Consider running Jenkins controllers in containerized environments with restricted capabilities
# Verify installed Script Security Plugin version
# Navigate to Jenkins > Manage Jenkins > Plugin Manager > Installed
# Or check via CLI:
java -jar jenkins-cli.jar -s http://your-jenkins-url/ list-plugins | grep script-security
# Update Script Security Plugin via CLI
java -jar jenkins-cli.jar -s http://your-jenkins-url/ install-plugin script-security -restart
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
