Allele Security Alert
ASA-2019-00091
Identifier(s)
ASA-2019-00091, SECURITY-1295, CVE-2019-1003008
Title
Sandbox bypass via Cross-Site Request Forgery (CSRF) in Warnings Next Generation Plugin
Vendor(s)
CloudBees, Inc
Product(s)
Jenkins
Affected version(s)
Warnings Next Generation Plugin up to and including 2.1.1
Fixed version(s)
Warnings Next Generation Plugin version 2.1.2
Proof of concept
Unknown
Description
Warnings Next Generation Plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site request forgery (CSRF). This allowed attackers to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements.
The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. Additionally, the form validation HTTP endpoint now requires that requests be sent via POST to prevent CSRF.
Technical details
Unknown
Credits
Unknown
Reference(s)
Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28/
Jenkins Plugins
https://plugins.jenkins.io/warnings-ng
CVE-2019-1003008
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003008
CVE-2019-1003008
https://nvd.nist.gov/vuln/detail/CVE-2019-1003008
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019