Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02cTc4LTZ4dnItMjZmZ833sw
Jenkins Groovy Plugin sandbox bypass vulnerability
Jenkins Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab
to source code elements.
Both the pipeline validation REST APIs and actual script/pipeline execution are affected.
This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.
All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts.
Permalink: https://github.com/advisories/GHSA-6q78-6xvr-26fgJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02cTc4LTZ4dnItMjZmZ833sw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 4 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-6q78-6xvr-26fg, CVE-2019-1003001
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-1003001
- https://access.redhat.com/errata/RHBA-2019:0326
- https://access.redhat.com/errata/RHBA-2019:0327
- https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266
- https://www.exploit-db.com/exploits/46572/
- http://packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.html
- http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming
- https://github.com/jenkinsci/pipeline-model-definition-plugin/commit/6d7884dec610bf34503d24d494d994e9fc607642
- https://github.com/jenkinsci/script-security-plugin/commit/2c5122e50742dd16492f9424992deb21cc07837c
- https://github.com/jenkinsci/workflow-cps-plugin/commit/66c3e7aafe7888d4e1fe9995a688bb3fb742d742
- https://github.com/advisories/GHSA-6q78-6xvr-26fg
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:script-security
Affected Version Ranges: <= 1.49Fixed in: 1.50
maven:org.jenkins-ci.plugins:pipeline-model-definition
Affected Version Ranges: <= 1.3.4Fixed in: 1.3.4.1
maven:org.jenkins-ci.plugins.workflow:workflow-cps-parent
Affected Version Ranges: <= 2.61Fixed in: 2.61.1