Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS02cTc4LTZ4dnItMjZmZ833sw

Jenkins Groovy Plugin sandbox bypass vulnerability

Jenkins Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements.

Both the pipeline validation REST APIs and actual script/pipeline execution are affected.

This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts.

Permalink: https://github.com/advisories/GHSA-6q78-6xvr-26fg
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02cTc4LTZ4dnItMjZmZ833sw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago


CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-6q78-6xvr-26fg, CVE-2019-1003001
References: Repository: https://github.com/jenkinsci/pipeline-model-definition-plugin
Blast Radius: 1.0

Affected Packages

maven:org.jenkins-ci.plugins:script-security
Affected Version Ranges: <= 1.49
Fixed in: 1.50
maven:org.jenkins-ci.plugins:pipeline-model-definition
Affected Version Ranges: <= 1.3.4
Fixed in: 1.3.4.1
maven:org.jenkins-ci.plugins.workflow:workflow-cps-parent
Affected Version Ranges: <= 2.61
Fixed in: 2.61.1