In Jenkins Email Extension Plugin 2.93 and earlier, templates defined inside a folder were not subject to Script Security protection, allowing attackers able to define email templates in folders to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Affected Packages

Maven org.jenkins-ci.plugins:email-ext

Affected versions: 0 (fixed in 2.94)

Related CVEs

CVE-2023-25765

Key Information

GHSA ID

GHSA-c9c2-wcxh-3w5j

Published

February 15, 2023 3:30 PM

Last Modified

February 23, 2023 9:31 PM

CVSS Score

9.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:email-ext

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.