Bug 1647059 (CVE-2018-1000865, CVE-2018-1000866) - CVE-2018-1000865 CVE-2018-1000866 jenkins-plugin-script-security: Sandbox Bypass in finalize methods
Summary: CVE-2018-1000865 CVE-2018-1000866 jenkins-plugin-script-security: Sandbox Byp...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1000865, CVE-2018-1000866
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1647060 1648217 1648218 1648788 1648789 1648790 1648791 1648792 1648793 1648794 1648795 1648796 1648797 1648798 1648799 1648800 1648801 1648802 1648803 1648804 1648805
Blocks: 1647061
TreeView+ depends on / blocked
 
Reported: 2018-11-06 15:36 UTC by Laura Pardo
Modified: 2021-10-25 22:21 UTC (History)
15 users (show)

Fixed In Version: jenkins-plugin-script-security 1.48
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-10-25 22:21:33 UTC


Attachments (Terms of Use)

Description Laura Pardo 2018-11-06 15:36:41 UTC
The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy Plugin did not apply sandbox restrictions to finalize methods. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection.

References:
https://jenkins.io/security/advisory/2018-10-29/

Upstream patches:

https://github.com/jenkinsci/script-security-plugin/commit/16c862ae9d4038a3edbd8bdfb0fd1401a509d56b

https://github.com/jenkinsci/workflow-cps-plugin/commit/e1c56eb6d85d513cb24dfe188e6f592d0ff84b38

https://github.com/jenkinsci/groovy-sandbox/commit/0cd7ec12b7c56cfa3167d99c5f43147ce05449d3

Comment 1 Laura Pardo 2018-11-06 15:37:12 UTC
Created jenkins-script-security-plugin tracking bugs for this issue:

Affects: fedora-all [bug 1647060]

Comment 5 Paul Harvey 2018-11-12 06:55:13 UTC
Mitigation:

Do not run untrusted jenkins pipeline scripts.

Comment 7 Nicholas Luedtke 2018-12-10 19:41:52 UTC
This got split into two CVE's CVE-2018-1000865 and CVE-2018-1000866.


Note You need to log in before you can comment on or make changes to this bug.