CVE-2024-34144 – jenkins-plugin/script-security: sandbox bypass via crafted constructor bodies
https://notcve.org/view.php?id=CVE-2024-34144
A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_e and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. Una vulnerabilidad de omisión de la sandbox que involucra cuerpos de constructores manipulados en Jenkins Script Security Plugin 1335.vf07d9ce377a_e y versiones anteriores permite a atacantes con permiso para definir y ejecutar scripts de la sandbox, incluidos Pipelines, eludir la protección de la sandbox y ejecutar código arbitrario en el contexto de la JVM del controlador Jenkins. A sandbox bypass vulnerability was found in the Jenkins Script Security Plugin involving crafted constructor bodies, enabling the circumvention of security restrictions. ... This security mechanism intercepts calls within sandboxed scripts, referencing various allowlists to decide whether these calls should be permitted. The vulnerabilities that allow for sandbox bypass have been identified in versions up to 1335.vf07d9ce377a_e of the Script Security Plugin. ... These improvements ensure that calls to super constructors are intercepted by the sandbox, including: - Ensuring that calls to other constructors via 'this' are now appropriately managed within the sandbox. - No longer overlooking classes in packages that may be overshadowed by Groovy-defined classes when intercepting super constructor calls. • https://github.com/MXWXZ/CVE-2024-34144 http://www.openwall.com/lists/oss-security/2024/05/02/3 https://www.jenkins.io/security/advisory/2024-05-02/#SECURITY-3341 https://access.redhat.com/security/cve/CVE-2024-34144 https://bugzilla.redhat.com/show_bug.cgi?id=2278820 • CWE-693: Protection Mechanism Failure •
CVE-2024-4040 – CrushFTP VFS Sandbox Escape Vulnerability
https://notcve.org/view.php?id=CVE-2024-4040
A server side template injection vulnerability in CrushFTP in all versions before 10.7.1 and 11.1.0 on all platforms allows unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication to gain administrative access, and perform remote code execution on the server. VFS Sandbox Escape en CrushFTP en todas las versiones anteriores a 10.7.1 y 11.1.0 en todas las plataformas permite a atacantes remotos con privilegios bajos leer archivos del sistema de archivos fuera de VFS Sandbox. CrushFTP contains an unspecified sandbox escape vulnerability that allows a remote attacker to escape the CrushFTP virtual file system (VFS). • https://github.com/entroychang/CVE-2024-4040 https://github.com/Mohammaddvd/CVE-2024-4040 https://github.com/Praison001/CVE-2024-4040-CrushFTP-server https://github.com/airbus-cert/CVE-2024-4040 https://github.com/Stuub/CVE-2024-4040-SSTI-LFI-PoC https://github.com/gotr00t0day/CVE-2024-4040 https://github.com/rbih-boulanouar/CVE-2024-4040 https://github.com/jakabakos/CVE-2024-4040-CrushFTP-File-Read-vulnerability https://github.com/olebris/CVE-2024-4040 https://github.com • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVE-2024-32462 – Flatpak vulnerable to a sandbox escape via RequestBackground portal due to bad argument parsing
https://notcve.org/view.php?id=CVE-2024-32462
Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. in versions before 1.10.9, 1.12.9, 1.14.6, and 1.15.8, a malicious or compromised Flatpak app could execute arbitrary code outside its sandbox. ... When this is converted into a `--command` and arguments, it achieves the same effect of passing arguments directly to `bwrap`, and thus can be used for a sandbox escape. ... Cuando esto se convierte en un `--command` y argumentos, logra el mismo efecto de pasar argumentos directamente a `bwrap` y, por lo tanto, puede usarse para un escape sandbox. ... This is normally safe because it can only specify a command that exists inside the sandbox. When a crafted "commandline" is converted into a "--command" and arguments, the app could achieve the same effect of passing arguments directly to bwrap to achieve sandbox escape. • http://www.openwall.com/lists/oss-security/2024/04/18/5 https://github.com/flatpak/flatpak/commit/72016e3fce8fcbeab707daf4f1a02b931fcc004d https://github.com/flatpak/flatpak/commit/81abe2a37d363f5099c3d0bdcd0caad6efc5bf97 https://github.com/flatpak/flatpak/commit/b7c1a558e58aaeb1d007d29529bbb270dc4ff11e https://github.com/flatpak/flatpak/commit/bbab7ed1e672356d1a78b422462b210e8e875931 https://github.com/flatpak/flatpak/security/advisories/GHSA-phv6-cpc2-2fgj https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/messa • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVE-2024-29021 – SSRF into Sandbox Escape through Unsafe Default Configuration
https://notcve.org/view.php?id=CVE-2024-29021
The default configuration of Judge0 leaves the service vulnerable to a sandbox escape via Server Side Request Forgery (SSRF). ... La configuración predeterminada de Judge0 deja al servicio vulnerable a un escape de la zona de pruebas a través de Server Side Request Forgery (SSRF). • https://github.com/judge0/judge0/blob/ad66f77b131dbbebf2b9ff8083dca9a68680b3e5/app/jobs/isolate_job.rb#L203-L230 https://github.com/judge0/judge0/security/advisories/GHSA-q7vg-26pg-v5hr • CWE-918: Server-Side Request Forgery (SSRF) CWE-1393: Use of Default Password •
CVE-2024-28189 – Judge0 vulnerable to Sandbox Escape Patch Bypass via chown running on Symbolic Link
https://notcve.org/view.php?id=CVE-2024-28189
The application uses the UNIX chown command on an untrusted file within the sandbox. An attacker can abuse this by creating a symbolic link (symlink) to a file outside the sandbox, allowing the attacker to run chown on arbitrary files outside of the sandbox. This vulnerability is not impactful on it's own, but it can be used to bypass the patch for CVE-2024-28185 and obtain a complete sandbox escape. ... Un atacante puede abusar de esto creando un enlace simbólico (enlace simbólico) a un archivo fuera del entorno sandbox, lo que le permite ejecutar chown en archivos arbitrarios fuera del entorno sandbox. Esta vulnerabilidad no tiene un impacto por sí sola, pero se puede utilizar para omitir el parche CVE-2024-28185 y obtener un escape completo de la zona de pruebas. • https://github.com/judge0/judge0/blob/v1.13.0/app/jobs/isolate_job.rb#L232 https://github.com/judge0/judge0/commit/f3b8547b3b67863e4ea0ded3adcb963add56addd https://github.com/judge0/judge0/security/advisories/GHSA-3xpw-36v7-2cmg https://github.com/judge0/judge0/security/advisories/GHSA-h9g2-45c8-89cf • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-61: UNIX Symbolic Link (Symlink) Following •