Bug 1471064 (CVE-2017-1000096) - CVE-2017-1000096 jenkins-plugin-workflow-cps: Arbitrary code execution due to incomplete sandbox protection (SECURITY-551)
Summary: CVE-2017-1000096 jenkins-plugin-workflow-cps: Arbitrary code execution due to...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2017-1000096
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1472033
Blocks: 1471067
TreeView+ depends on / blocked
 
Reported: 2017-07-14 10:38 UTC by Adam Mariš
Modified: 2021-02-17 01:56 UTC (History)
13 users (show)

Fixed In Version: jenkins-plugin-workflow-cps 2.36.1
Clone Of:
Environment:
Last Closed: 2017-08-14 16:43:03 UTC
Embargoed:

Attachments (Terms of Use)

Description Adam Mariš 2017-07-14 10:38:16 UTC 
Pipelines are subject to script security: Either the entire Pipeline needs to be approved, or it runs in a sandbox, with only whitelisted methods etc. allowed to be called.

Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code.

This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.

External References:

https://jenkins.io/security/advisory/2017-07-10/
Comment 1 Adam Mariš 2017-07-14 10:38:33 UTC 
Acknowledgments:

Name: the Jenkins project
Upstream: Simon St John, Green
Comment 3 Trevor Jay 2017-08-14 16:43:03 UTC 
Statement:

This issue affects the versions of jenkins-plugin-workflow-cps  as shipped with Red Hat OpenShift Enterprise 3. However, this flaw is of low impact under the supported scenarios in OpenShift Enterprise 3. A future update may address this issue.
Note You need to log in before you can comment on or make changes to this bug.