Bug 1670290 - jenkins-plugin-groovy: Sandbox Bypass in Groovy Plugin (SECURITY-1293)
Summary: jenkins-plugin-groovy: Sandbox Bypass in Groovy Plugin (SECURITY-1293)
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1670291
Blocks: 1670285
TreeView+ depends on / blocked
 
Reported: 2019-01-29 07:37 UTC by Sam Fowler
Modified: 2021-02-16 22:28 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-31 15:26:13 UTC
Embargoed:


Attachments (Terms of Use)

Description Sam Fowler 2019-01-29 07:37:25 UTC
Jenkins Groovy Plugin before version 2.1 has the following vulnerability:

Groovy Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins master by applying AST transforming annotations such as @Grab to source code elements.

The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations.


External Reference:

https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1293

Upstream patches:

https://github.com/jenkinsci/groovy-plugin/commit/212e048a319ae32dad4cfec5e73a885a9f4781f0

Comment 1 Sam Fowler 2019-01-29 07:37:53 UTC
Created groovy-sandbox tracking bugs for this issue:

Affects: fedora-all [bug 1670291]

Comment 2 Paul Harvey 2019-01-31 15:26:13 UTC
This flaw is actually referring to a sandbox escape in https://plugins.jenkins.io/groovy aka https://github.com/jenkinsci/groovy-plugin; *not* groovy-sandbox aka https://github.com/jenkinsci/groovy-sandbox/

Removing openshift-enterprise-3.x.


Note You need to log in before you can comment on or make changes to this bug.