Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2023-25765

In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Published

2023-02-15T14:15:13.700

Last Modified

2025-03-19T17:15:38.733

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 9.9 (CRITICAL)

Weaknesses

Type: Primary
NVD-CWE-noinfo
Type: Secondary
CWE-693

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	jenkins	email_extension	< 2.93.1	Yes

References

http://www.openwall.com/lists/oss-security/2023/02/15/4 Mailing List, Third Party Advisory ([email protected])
https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-2939 Vendor Advisory ([email protected])
http://www.openwall.com/lists/oss-security/2023/02/15/4 Mailing List, Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.jenkins.io/security/advisory/2023-02-15/#SECURITY-2939 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)