ASA-2019-00089 – Jenkins: Sandbox bypass in Groovy Plugin

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00089

Identifier(s)

ASA-2019-00089, SECURITY-1293, CVE-2019-1003006

Title

Sandbox bypass in Groovy Plugin

Vendor(s)

CloudBees

Product(s)

Jenkins

Affected version(s)

Groovy Plugin up to and including 2.0

Fixed version(s)

Groovy Plugin version 2.1

Proof of concept

Unknown

Description

Groovy Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements.

The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations.

Technical details

Unknown

Credits

Unknown

Reference(s)

Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28/

Jenkins Plugins
https://plugins.jenkins.io/groovy

CVE-2019-1003006
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003006

CVE-2019-1003006
https://nvd.nist.gov/vuln/detail/CVE-2019-1003006

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 24, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.