[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Sandbox bypass in multiple Jenkins plugins
From: Daniel Beck <ml () beckweb ! net>
Date: 2019-01-23 10:18:20
Message-ID: 76DD3118-C738-425E-B96F-85EFF8BB1D62 () beckweb ! net
[Download RAW message or body]
> On 8. Jan 2019, at 13:46, Daniel Beck <ml@beckweb.net> wrote:
>
> SECURITY-1266
> Script Security sandbox protection could be circumvented during the
> compilation phase by applying AST transforming annotations such as @Grab
> to source code elements.
>
> Both the pipeline validation REST APIs and actual script/pipeline
> execution are affected.
>
> This allowed users with Overall/Read permission, or able to control
> Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to
> bypass the sandbox protection and execute arbitrary code on the Jenkins
> master.
CVE-2019-1003000 (Script Security Plugin)
CVE-2019-1003001 (Pipeline: Groovy Plugin)
CVE-2019-1003002 (Pipeline: Declarative Plugin)
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic