ASA-2019-00088 – Jenkins: Sandbox bypass in Script Security Plugin


Allele Security Alert

ASA-2019-00088

Identifier(s)

ASA-2019-00088, SECURITY-129, CVE-2019-1003005

Title

Sandbox bypass in Script Security Plugin

Vendor(s)

CloudBees, Inc

Product(s)

Jenkins

Affected version(s)

Script Security Plugin up to and including 1.50

Fixed version(s)

Script Security Plugin version 1.51

Proof of concept

Unknown

Description

Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as `@Grab` to source code elements.

This affected an HTTP endpoint used to validate a user-submitted Groovy script that was not covered in the 2019-01-08 fix for SECURITY-1266 and allowed users with Overall/Read permission to bypass the sandbox protection and execute arbitrary code on the Jenkins master.

Technical details

Unknown

Credits

Mikhail Egorov

Reference(s)

Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28/

Jenkins Plugins
https://plugins.jenkins.io/script-security

CVE-2019-1003005
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003005

CVE-2019-1003005
https://nvd.nist.gov/vuln/detail/CVE-2019-1003005

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 20, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.