A flaw was found in Pipeline: Declarative Plugin before version 1.3.4.1, Pipeline: Groovy Plugin before version 2.61.1 and Script Security Plugin before version 1.50. Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master. References: https://jenkins.io/security/advisory/2019-01-08/ Upstream patches: https://github.com/jenkinsci/workflow-cps-plugin/commit/d09583eda7898eafdd15297697abdd939c6ba5b6
openshift-enterprise-3.2: affected - containers/openshift-jenkins:rhaos-3.2-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6 openshift-enterprise-3.3: affected - containers/openshift-jenkins:rhaos-3.3-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6 - containers/openshift-jenkins-2:rhaos-3.3-rhel-7 in contrib/openshift/base-plugins.txt contains hits for script-security:1.19, workflow-cps:2.6 Once openshift3/jenkins-1-rhel7 and openshift3/jenkins-2-rhel7 container images have been released with these fixes, users of all versions of openshift-enterprise-3.2+ are encouraged to update these container images in their environment.
External References: https://jenkins.io/security/advisory/2019-01-08/
Closing as it is obsolete