Allele Security Alert
ASA-2019-00090
Identifier(s)
ASA-2019-00090, SECURITY-1295, CVE-2019-1003007
Title
Sandbox bypass via Cross-Site Request Forgery (CSRF) in Warnings Plugin
Vendor(s)
CloudBees, Inc
Product(s)
Jenkins
Affected version(s)
Warnings Plugin up to and including 5.0.0
Fixed version(s)
Warnings Plugin version 5.0.1
Proof of concept
Unknown
Description
Warnings Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site request forgery (CSRF). This allowed attackers to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements. The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. Additionally, the form validation HTTP endpoint now requires that requests be sent via POST to prevent CSRF.
Technical details
Unknown
Credits
Unknown
Reference(s)
Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28/
Jenkins Plugins
https://plugins.jenkins.io/warnings
CVE-2019-1003007
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003007
CVE-2019-1003007
https://nvd.nist.gov/vuln/detail/CVE-2019-1003007
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019