CVE-2020-2110: 
Java vulnerability analysis and mitigation

CVE-2020-2110 affects the Jenkins Script Security Plugin versions 1.69 and earlier. The vulnerability was discovered and disclosed on February 12, 2020, and was assigned a High severity rating. This security flaw impacts the sandbox protection mechanism in the Jenkins Script Security Plugin, specifically affecting script execution and HTTP endpoints providing sandboxed script validation (Jenkins Advisory).

The vulnerability allows sandbox protection to be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to imports or by using them inside of other annotations. This vulnerability is particularly concerning as it affects both script execution (typically invoked from other plugins like Pipeline) and HTTP endpoints providing sandboxed script validation. The issue was identified as an incomplete fix of a previous vulnerability (SECURITY-1266). The CVSS base score for this vulnerability is 8.8 (High), indicating significant potential impact (AttackerKB).

Users with Overall/Read permission can exploit this vulnerability to bypass sandbox protection and execute arbitrary code on the Jenkins controller. This means that attackers with basic read access to Jenkins could potentially execute malicious code with the same privileges as the Jenkins controller process (Jenkins Advisory).

The vulnerability was fixed in Script Security Plugin version 1.70, which disallows all known unsafe AST transformations on imports or when used inside of other annotations. Users are strongly advised to upgrade to this version or later to protect against this security issue (Jenkins Advisory).

The vulnerability was reported by Nils Emmerich of ERNW Research GmbH and was addressed as part of a larger security advisory that included multiple Jenkins plugin vulnerabilities. The Jenkins project publicly acknowledged the discovery in their security advisory (Jenkins Advisory).