https://bugzilla.redhat.com/show_bug.cgi?id=1689873
Bug ID: 1689873
Summary: CVE-2019-1003029 jenkins-plugin-script-security:
sandbox bypass in script security plugin
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=important,public=20190306,reported=20190309,sou
rce=cve,cvss3=8.8/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H
/I:H/A:H,fedora-all/jenkins-script-security-plugin=aff
ected,openshift-enterprise-3.11/jenkins-2-plugins=affe
cted,openshift-enterprise-4.0/jenkins-2-plugins=affect
ed,openshift-enterprise-3.4/jenkins-plugin-script-secu
rity=affected,openshift-enterprise-3.5/jenkins-plugin-
script-security=affected,openshift-enterprise-3.6/jenk
ins-plugin-script-security=affected,openshift-enterpri
se-3.7/jenkins-plugin-script-security=affected,openshi
ft-enterprise-3.9/jenkins-plugin-script-security=affec
ted,openshift-enterprise-3.10/jenkins-plugin-script-se
curity=affected
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: darunesh(a)redhat.com
CC: ahardin(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
eparis(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Target Milestone: ---
Classification: Other
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53
and earlier in
src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java,
src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java
that allows attackers with Overall/Read permission to execute arbitrary code on
the Jenkins master JVM.
Reference:
https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20
--
You are receiving this mail because:
You are on the CC list for the bug.