Bug 1669508 (CVE-2019-1003002)
Summary: | CVE-2019-1003002 jenkins-plugin-pipeline-model-definition: Sandbox Bypass in Pipeline: Declarative | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Paul Harvey <pharvey> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abenaiss, ahardin, aos-bugs, bleanhar, bmontgom, ccoleman, dedgar, eparis, jburrell, jgoulding, jokerman, mchappel, mmccomas, nstielau, obulatov, pbhattac, sponnaga, vbobade, wzheng |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | pipeline-model-definition-plugin 1.3.4.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in Jenkins Pipeline. Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. This allows users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master. All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2020-08-26 16:36:16 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1669522, 1669523, 1669524, 1669525, 1669526, 1671214 | ||
Bug Blocks: | 1667569 |
Description
Paul Harvey
2019-01-25 14:17:13 UTC
openshift-enterprise-3.2, openshift-enterprise-3.3, openshift-enterprise-3.4: notaffected. jenkins-plugin-pipeline-model-definition is not included in any of: - containers/openshift-jenkins:rhaos-3.2-rhel-7 - containers/openshift-jenkins:rhaos-3.3-rhel-7 - containers/openshift-jenkins-2:rhaos-3.3-rhel-7 - containers/openshift-jenkins:rhaos-3.4-rhel-7 - containers/openshift-jenkins-2:rhaos-3.4-rhel-7 - containers/openshift-jenkins:rhaos-3.5-rhel-7 Once openshift3/jenkins-1-rhel7 and openshift3/jenkins-2-rhel7 container images have been released with these fixes, users of all versions of openshift-enterprise-3.5+ are encouraged to update these container images in their environment. External References: https://jenkins.io/security/advisory/2019-01-08/ Closing as bug is obsolete and this plugin is not used anymore |