Allele Security Alert
ASA-2019-00089
Identifier(s)
ASA-2019-00089, SECURITY-1293, CVE-2019-1003006
Title
Sandbox bypass in Groovy Plugin
Vendor(s)
CloudBees
Product(s)
Jenkins
Affected version(s)
Groovy Plugin up to and including 2.0
Fixed version(s)
Groovy Plugin version 2.1
Proof of concept
Unknown
Description
Groovy Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements.
The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations.
Technical details
Unknown
Credits
Unknown
Reference(s)
Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28/
Jenkins Plugins
https://plugins.jenkins.io/groovy
CVE-2019-1003006
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003006
CVE-2019-1003006
https://nvd.nist.gov/vuln/detail/CVE-2019-1003006
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019