Until explicitly accessed by script, window.globalThis is not enumerable and, as a result, is not visible to code such as Object.getOwnPropertyNames(window). Sites that deploy a sandboxing that depends on enumerating and freezing access to the window object may miss this, allowing their sandboxes to be bypassed.
Tag: Sandbox Bypass
ASA-2019-00323 – Vim: Arbitrary code execution via modelines
Vim before 8.1.1365 and Neovim before 0.3.6 are vulnerable to arbitrary code execution via modelines by opening a specially crafted text file.
ASA-2019-00091 – Jenkins: Sandbox bypass via Cross-Site Request Forgery (CSRF) in Warnings Next Generation Plugin
Warnings Next Generation plugin has a form validation HTTP endpoint used to validate a Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site request forgery (CSRF). This allowed attackers to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements. The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. Additionally, the form validation HTTP endpoint now requires that requests be sent via POST to prevent CSRF.
ASA-2019-00090 – Jenkins: Sandbox bypass via Cross-Site Request Forgery (CSRF) in Warnings Plugin
Warnings Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. The endpoint checked for the Overall/RunScripts permission, but did not require POST requests, so it was vulnerable to cross-site request forgery (CSRF). This allowed attackers to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements. The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. Additionally, the form validation HTTP endpoint now requires that requests be sent via POST to prevent CSRF.
ASA-2019-00089 – Jenkins: Sandbox bypass in Groovy Plugin
Groovy Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements. The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations.
ASA-2019-00088 – Jenkins: Sandbox bypass in Script Security Plugin
Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as `@Grab` to source code elements. This affected an HTTP endpoint used to validate a user-submitted Groovy script that was not covered in the 2019-01-08 fix for SECURITY-1266 and allowed users with Overall/Read permission to bypass the sandbox protection and execute arbitrary code on the Jenkins master.
ASA-2019-00005 – Jenkins: Sandbox Bypass in Script Security and Pipeline Plugins
Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master.
ASA-2018-00013 – Jenkins: Sandbox Bypass in Script Security and Pipeline Groovy Plugins
The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection. Finalize methods are now prohibited in classes subject to sandbox security. This may result in existing sandboxed scripts, such as pipelines, starting to fail if they use this language feature.