Jenkins Groovy Plugin sandbox bypass vulnerability

GHSA-6q78-6xvr-26fg · CVE-2019-1003001

Published May 13, 2022 · Modified Dec 2, 2024

Description

Jenkins Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements.

Both the pipeline validation REST APIs and actual script/pipeline execution are affected.

This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-1003001
WEB https://github.com/jenkinsci/pipeline-model-definition-plugin/commit/6d7884dec610bf34503d24d494d994e9fc607642
WEB https://github.com/jenkinsci/script-security-plugin/commit/2c5122e50742dd16492f9424992deb21cc07837c
WEB https://github.com/jenkinsci/workflow-cps-plugin/commit/66c3e7aafe7888d4e1fe9995a688bb3fb742d742
WEB https://access.redhat.com/errata/RHBA-2019:0326
WEB https://access.redhat.com/errata/RHBA-2019:0327
WEB https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266
WEB https://www.exploit-db.com/exploits/46572
WEB http://packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.html
WEB http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes