oss-sec mailing list archives
Sandbox bypass in multiple Jenkins plugins
From: Daniel Beck <ml () beckweb net>
Date: Tue, 8 Jan 2019 13:46:48 +0100
Jenkins is an open source automation server which enables developers around the world to reliably build, test, and deploy their software. The following releases contain fixes for security vulnerabilities: * Pipeline: Declarative Plugin 1.3.4.1 * Pipeline: Groovy Plugin 2.61.1 * Script Security Plugin 1.50 Summaries of the vulnerabilities are below. More details, severity, and attribution can be found here: https://jenkins.io/security/advisory/2019-01-08/ We provide advance notification for security updates on this mailing list: https://groups.google.com/d/forum/jenkinsci-advisories If you discover security vulnerabilities in Jenkins, please report them as described here: https://jenkins.io/security/#reporting-vulnerabilities --- SECURITY-1266 Script Security sandbox protection could be circumvented during the compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master.
Current thread:
- Sandbox bypass in multiple Jenkins plugins Daniel Beck (Jan 08)
- Re: Sandbox bypass in multiple Jenkins plugins Daniel Beck (Jan 23)