A flaw was found in Pipeline: Declarative Plugin before version 1.3.4.1, Pipeline: Groovy Plugin before version 2.61.1 and Script Security Plugin before version 1.50. Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master. All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts. References: https://jenkins.io/security/advisory/2019-01-08/ Upstream patches: https://github.com/jenkinsci/pipeline-model-definition-plugin/commit/083abd96e68fd89f556a0cd53db5f878dbf09b92 https://github.com/jenkinsci/script-security-plugin/commit/2c5122e50742dd16492f9424992deb21cc07837c https://github.com/jenkinsci/workflow-cps-plugin/commit/d09583eda7898eafdd15297697abdd939c6ba5b6
Created groovy-sandbox tracking bugs for this issue: Affects: fedora-all [bug 1667571] Created jenkins-script-security-plugin tracking bugs for this issue: Affects: fedora-all [bug 1667570]
openshift-enterprise-3.2: - containers/openshift-jenkins:rhaos-3.2-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6 openshift-enterprise-3.3: affected - containers/openshift-jenkins:rhaos-3.3-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6 - containers/openshift-jenkins-2:rhaos-3.3-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6 Once openshift3/jenkins-1-rhel7 and openshift3/jenkins-2-rhel7 container images have been released with these fixes, users of all versions of openshift-enterprise-3.2+ are encouraged to update these container images in their environment.
External References: https://jenkins.io/security/advisory/2019-01-08/
Marked Bug as won't fix because it is obsolete