[JENKINS:SECURITY-3016] Sandbox bypass vulnerability in `script-security`
script-security provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute.
Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed.
In script-security 1228.vd93135a_2fb_25 and earlier, property assignments performed implicitly by the Groovy language runtime when invoking map constructors were not intercepted by the sandbox.
This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
script-security 1229.v4880b_b_e905a_6 intercepts property assignments when invoking map constructors.
NOTE: As part of this fix, map constructors may only be invoked in the sandbox using the new keyword. Attempting to invoke a map constructor using a Groovy cast will fail unconditionally. For example, code such as [key: value] as MyClass or MyClass mc = [key: value] must be converted to use new MyClass(key: value) instead.
| Package | Affected Version |
|---|---|
 pkg:maven/org.jenkins-ci.plugins/script-security
|
<= 1228.vd93135a_2fb_25 |
 pkg:github/jenkinsci/script-security-plugin
|
<= 1228.vd93135a_2fb_25 |
| Package | Fixed Version |
|---|---|
|
pkg:maven/org.jenkins-ci.plugins/script-security
|
= 1229.v4880b_b_e905a_6 |
|
pkg:github/jenkinsci/script-security-plugin
|
= 1229.v4880b_b_e905a_6 |
- ID
- JENKINS:SECURITY-3016
- Severity
- high
- Published
-
2023-01-24T00:00:00
(20 months ago) - Modified
-
2023-01-24T00:00:00
(20 months ago) - Rights
- Jenkins Security Team
- Other Advisories
MAVEN:GHSA-76QJ-9GWH-PVV3| Source | # ID | Name | URL |
|---|---|---|---|
| Plugin repository | script-security repository |
|
| Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
|---|---|---|---|---|---|---|---|
| Affected | pkg:maven/org.jenkins-ci.plugins/script-security | org.jenkins-ci.plugins |
script-security
|
<= 1228.vd93135a_2fb_25 | |||
| Fixed | pkg:maven/org.jenkins-ci.plugins/script-security | org.jenkins-ci.plugins |
script-security
|
= 1229.v4880b_b_e905a_6 | |||
| Affected | pkg:github/jenkinsci/script-security-plugin | jenkinsci |
script-security-plugin
|
<= 1228.vd93135a_2fb_25 | |||
| Fixed | pkg:github/jenkinsci/script-security-plugin | jenkinsci |
script-security-plugin
|
= 1229.v4880b_b_e905a_6 |
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
|---|---|---|---|---|---|---|---|---|---|---|---|
| # CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |