[MAVEN:GHSA-6Q78-6XVR-26FG] Jenkins Groovy Plugin sandbox bypass vulnerability

Severity High

Affected Packages 3

Fixed Packages 3

CVEs 1

Jenkins Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements.

Both the pipeline validation REST APIs and actual script/pipeline execution are affected.

This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/script-security	<= 1.49
pkg:maven/org.jenkins-ci.plugins/pipeline-model-definition	<= 1.3.4
pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-parent	<= 2.61

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/script-security	= 1.50
pkg:maven/org.jenkins-ci.plugins/pipeline-model-definition	= 1.3.4.1
pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-parent	= 2.61.1

ID

MAVEN:GHSA-6Q78-6XVR-26FG

Severity

high

URL

https://github.com/advisories/GHSA-6q78-6xvr-26fg

Published

2022-05-13T01:15:20
(2 years ago)

Modified

2023-12-15T17:33:51
(9 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-1266

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2019-1003001
			https://access.redhat.com/errata/RHBA-2019:0326
			https://access.redhat.com/errata/RHBA-2019:0327
			https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266
			https://www.exploit-db.com/exploits/46572/
			http://packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.html
			http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming
			https://github.com/jenkinsci/pipeline-model-definition-plugin/commit/6d7884dec610bf34503d24d494d994e9fc607642
			https://github.com/jenkinsci/script-security-plugin/commit/2c5122e50742dd16492f9424992deb21cc07837c
			https://github.com/jenkinsci/workflow-cps-plugin/commit/66c3e7aafe7888d4e1fe9995a688bb3fb742d742
			https://github.com/advisories/GHSA-6q78-6xvr-26fg

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/script-security	org.jenkins-ci.plugins	script-security	<= 1.49
Fixed	pkg:maven/org.jenkins-ci.plugins/script-security	org.jenkins-ci.plugins	script-security	= 1.50
Affected	pkg:maven/org.jenkins-ci.plugins/pipeline-model-definition	org.jenkins-ci.plugins	pipeline-model-definition	<= 1.3.4
Fixed	pkg:maven/org.jenkins-ci.plugins/pipeline-model-definition	org.jenkins-ci.plugins	pipeline-model-definition	= 1.3.4.1
Affected	pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-parent	org.jenkins-ci.plugins.workflow	workflow-cps-parent	<= 2.61
Fixed	pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-parent	org.jenkins-ci.plugins.workflow	workflow-cps-parent	= 2.61.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date