1542730 – (CVE-2018-1000058) CVE-2018-1000058 jenkins-plugin-workflow-support: Arbitrary code execution due to incomplete sandbox protection in Pipeline: Supporting APIs Plugin

Bug 1542730 (CVE-2018-1000058) - CVE-2018-1000058 jenkins-plugin-workflow-support: Arbitrary code execution due to incomplete sandbox protection in Pipeline: Supporting APIs Plugin

Summary: CVE-2018-1000058 jenkins-plugin-workflow-support: Arbitrary code execution du...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2018-1000058
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1542732
TreeView+	depends on / blocked

Reported:	2018-02-06 22:15 UTC by Laura Pardo
Modified:	2019-09-29 14:32 UTC (History)
CC List:	7 users (show)
Fixed In Version:	jenkins-plugin-workflow-support 2.18
Clone Of:
Environment:
Last Closed:	2018-02-16 03:03:08 UTC
Embargoed:

Attachments	(Terms of Use)

Description Laura Pardo 2018-02-06 22:15:59 UTC

A flaw was found in Jenkins Pipeline: Supporting APIs Plugin. Pipelines are subject to script security: Either the entire Pipeline needs to be approved, or it runs in a sandbox, with only whitelisted methods etc. allowed to be called. Methods related to Java deserialization like readResolve implemented in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.


References:
https://jenkins.io/security/advisory/2018-02-05/ [SECURITY-699 / CVE-2018-1000058]

Note You need to log in before you can comment on or make changes to this bug.