ASA-2019-00090 – Jenkins: Sandbox bypass via Cross-Site Request Forgery (CSRF) in Warnings Plugin

Warnings Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site request forgery (CSRF). This allowed attackers to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements. The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. Additionally, the form validation HTTP endpoint now requires that requests be sent via POST to prevent CSRF.