[MAVEN:GHSA-JGPM-2862-Q5M8] Jenkins Script Security Plugin sandbox bypass vulnerability

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

The previously implemented script security sandbox protections prohibiting the use of unsafe AST transforming annotations such as @Grab (2019-01-08 fix for SECURITY-1266) could be circumvented through use of various Groovy language features:

Use of AnnotationCollector
Import aliasing
Referencing annotation types using their full class name

This allowed users with Overall/Read permission, or the ability to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

Using AnnotationCollector is now newly prohibited in sandboxed scripts such as Pipelines. Importing any of the annotations considered unsafe will now result in an error. During the compilation phase, both simple and full class names of prohibited annotations are rejected for element annotations.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/script-security	<= 1.52

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/script-security	= 1.53

ID

MAVEN:GHSA-JGPM-2862-Q5M8

Severity

high

URL

https://github.com/advisories/GHSA-jgpm-2862-q5m8

Published

2022-05-13T01:15:21
(2 years ago)

Modified

2023-12-20T13:33:31
(9 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-1320

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2019-1003024
			https://access.redhat.com/errata/RHSA-2019:0739
			https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1320
			https://web.archive.org/web/20200227084947/http://www.securityfocus.com/bid/107295
			https://github.com/jenkinsci/script-security-plugin/commit/3228c88e84f0b2f24845b6466cae35617e082059
			https://github.com/advisories/GHSA-jgpm-2862-q5m8

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.jenkins-ci.plugins/script-security	org.jenkins-ci.plugins	script-security	<= 1.52
Fixed	pkg:maven/org.jenkins-ci.plugins/script-security	org.jenkins-ci.plugins	script-security	= 1.53

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date