A flaw was found in Pipeline: Declarative Plugin before version 1.3.4.1, Pipeline: Groovy Plugin before version 2.61.1 and Script Security Plugin before version 1.50. Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected. This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master. All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts. References: https://jenkins.io/security/advisory/2019-01-08/ Upstream patches: https://github.com/jenkinsci/pipeline-model-definition-plugin/commit/083abd96e68fd89f556a0cd53db5f878dbf09b92
openshift-enterprise-3.2, openshift-enterprise-3.3, openshift-enterprise-3.4: notaffected. jenkins-plugin-pipeline-model-definition is not included in any of: - containers/openshift-jenkins:rhaos-3.2-rhel-7 - containers/openshift-jenkins:rhaos-3.3-rhel-7 - containers/openshift-jenkins-2:rhaos-3.3-rhel-7 - containers/openshift-jenkins:rhaos-3.4-rhel-7 - containers/openshift-jenkins-2:rhaos-3.4-rhel-7 - containers/openshift-jenkins:rhaos-3.5-rhel-7 Once openshift3/jenkins-1-rhel7 and openshift3/jenkins-2-rhel7 container images have been released with these fixes, users of all versions of openshift-enterprise-3.5+ are encouraged to update these container images in their environment.
External References: https://jenkins.io/security/advisory/2019-01-08/
Closing as bug is obsolete and this plugin is not used anymore