CVE-2023-25765: 
Java vulnerability analysis and mitigation

CVE-2023-25765 (SECURITY-2939) is a high-severity vulnerability affecting the Jenkins Email Extension Plugin versions 2.93 and earlier. The vulnerability was discovered and reported by Yaroslav Afenkin from CloudBees, Inc. and was disclosed on February 15, 2023. The affected component is the Email Extension Plugin's template security mechanism, specifically when templates are defined inside folders (Jenkins Advisory, CVE Details).

The vulnerability stems from a security control bypass in the Email Extension Plugin's template handling mechanism. The plugin allows users to define custom email templates using the Config File Provider plugin as Jelly or Groovy files. While these templates should be subject to Script Security protection when defined inside a folder, the security control was missing in affected versions. This bypass circumvents both sandboxed execution and full-script approval requirements (Jenkins Advisory).

The vulnerability allows attackers with the ability to define email templates in folders to bypass the sandbox protection mechanism. This bypass enables the execution of arbitrary code within the context of the Jenkins controller Java Virtual Machine (JVM), potentially leading to complete system compromise (Jenkins Advisory).

The vulnerability has been fixed in Email Extension Plugin version 2.93.1. In this version, email templates defined in folders are properly subject to sandbox protection. Users are strongly advised to upgrade to this version to mitigate the vulnerability (Jenkins Advisory).