Allele Security Alert
ASA-2019-00089, SECURITY-1293, CVE-2019-1003006
Sandbox bypass in Groovy Plugin
Groovy Plugin up to and including 2.0
Groovy Plugin version 2.1
Proof of concept
Groovy Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements.
The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations.
Jenkins Security Advisory 2019-01-28
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019