Bug 1667566 (CVE-2019-1003000)
| Summary: | CVE-2019-1003000 jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED WONTFIX | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | abenaiss, ahardin, aos-bugs, bleanhar, bmontgom, ccoleman, dedgar, eparis, jburrell, jgoulding, jokerman, mchappel, mmccomas, nstielau, obulatov, pbhattac, sponnaga, vbobade, wzheng |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | script-security-plugin 1.50 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Jenkins Pipeline. The Script Security sandbox protection could be circumvented during the script compilation phase by applying AST, transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master. All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-08-26 16:31:03 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1667570, 1667571, 1669510, 1669511, 1669512, 1669513, 1669522, 1669528, 1669529, 1671214 | ||
| Bug Blocks: | 1667569 | ||
|
Description
Laura Pardo
2019-01-18 20:27:51 UTC
Created groovy-sandbox tracking bugs for this issue: Affects: fedora-all [bug 1667571] Created jenkins-script-security-plugin tracking bugs for this issue: Affects: fedora-all [bug 1667570] openshift-enterprise-3.2: - containers/openshift-jenkins:rhaos-3.2-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6 openshift-enterprise-3.3: affected - containers/openshift-jenkins:rhaos-3.3-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6 - containers/openshift-jenkins-2:rhaos-3.3-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6 Once openshift3/jenkins-1-rhel7 and openshift3/jenkins-2-rhel7 container images have been released with these fixes, users of all versions of openshift-enterprise-3.2+ are encouraged to update these container images in their environment. External References: https://jenkins.io/security/advisory/2019-01-08/ Marked Bug as won't fix because it is obsolete |