Jenkins Groovy Plugin before version 2.1 has the following vulnerability: Groovy Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements. The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations. External Reference: https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1293 Upstream patches: https://github.com/jenkinsci/groovy-plugin/commit/212e048a319ae32dad4cfec5e73a885a9f4781f0
Created groovy-sandbox tracking bugs for this issue: Affects: fedora-all [bug 1670291]
This flaw is actually referring to a sandbox escape in https://plugins.jenkins.io/groovy aka https://github.com/jenkinsci/groovy-plugin; *not* groovy-sandbox aka https://github.com/jenkinsci/groovy-sandbox/ Removing openshift-enterprise-3.x.