Bug 1667566 (CVE-2019-1003000) - CVE-2019-1003000 jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin
Summary: CVE-2019-1003000 jenkins-plugin-script-security: Sandbox Bypass in Script Sec...
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2019-1003000
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1667570 1667571 1669510 1669511 1669512 1669513 1669522 1669528 1669529 1671214
Blocks: 1667569
TreeView+ depends on / blocked
 
Reported: 2019-01-18 20:27 UTC by Laura Pardo
Modified: 2022-05-19 03:41 UTC (History)
19 users (show)

Fixed In Version: script-security-plugin 1.50
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jenkins Pipeline. The Script Security sandbox protection could be circumvented during the script compilation phase by applying AST, transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master. All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Clone Of:
Environment:
Last Closed: 2020-08-26 16:31:03 UTC
Embargoed:

Attachments (Terms of Use)

Description Laura Pardo 2019-01-18 20:27:51 UTC 
A flaw was found in Pipeline: Declarative Plugin before version 1.3.4.1, Pipeline: Groovy Plugin before version 2.61.1 and Script Security Plugin before version 1.50. Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master. All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts.


References:
https://jenkins.io/security/advisory/2019-01-08/

Upstream patches:

https://github.com/jenkinsci/pipeline-model-definition-plugin/commit/083abd96e68fd89f556a0cd53db5f878dbf09b92

https://github.com/jenkinsci/script-security-plugin/commit/2c5122e50742dd16492f9424992deb21cc07837c

https://github.com/jenkinsci/workflow-cps-plugin/commit/d09583eda7898eafdd15297697abdd939c6ba5b6
Comment 1 Laura Pardo 2019-01-18 20:51:38 UTC 
Created groovy-sandbox tracking bugs for this issue:

Affects: fedora-all [bug 1667571]


Created jenkins-script-security-plugin tracking bugs for this issue:

Affects: fedora-all [bug 1667570]
Comment 5 Paul Harvey 2019-01-31 06:27:18 UTC 
openshift-enterprise-3.2: 
- containers/openshift-jenkins:rhaos-3.2-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6

openshift-enterprise-3.3: affected
- containers/openshift-jenkins:rhaos-3.3-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6
- containers/openshift-jenkins-2:rhaos-3.3-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6

Once openshift3/jenkins-1-rhel7 and openshift3/jenkins-2-rhel7 container images have been released with these fixes, users of all versions of openshift-enterprise-3.2+ are encouraged to update these container images in their environment.
Comment 6 Paul Harvey 2019-01-31 06:49:33 UTC 
External References:

https://jenkins.io/security/advisory/2019-01-08/
Comment 7 Vibhav Bobade 2020-08-26 16:31:03 UTC 
Marked Bug as won't fix because it is obsolete
Note You need to log in before you can comment on or make changes to this bug.