https://bugzilla.redhat.com/show_bug.cgi?id=1684556 Bug ID: 1684556 Summary: CVE-2019-1003024 CVE-2019-1003024 jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin (SECURITY-1320) Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190219,reported=20190219,sou rce=internet,cvss3=8.8/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S: U/C:H/I:H/A:H,cwe=CWE-96,openshift-enterprise-3.2/jenk ins-plugin-script-security=wontfix,openshift-enterpris e-3.3/jenkins-plugin-script-security=wontfix,openshift -enterprise-3.4/jenkins-plugin-script-security=wontfix ,openshift-enterprise-3.5/jenkins-plugin-script-securi ty=wontfix,openshift-enterprise-3.7/jenkins-plugin-scr ipt-security=wontfix,openshift-enterprise-3.6/jenkins- plugin-script-security=wontfix,openshift-enterprise-3. 9/jenkins-plugin-script-security=wontfix,openshift-ent erprise-3.10/jenkins-plugin-script-security=wontfix,op enshift-enterprise-3.11/jenkins-2-plugins=affected,fed ora-all/jenkins-script-security-plugin=affected,opensh ift-enterprise-4.0/jenkins-2-plugins=affected Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team(a)redhat.com Reporter: anemec(a)redhat.com CC: ahardin(a)redhat.com, bleanhar(a)redhat.com, ccoleman(a)redhat.com, dedgar(a)redhat.com, eparis(a)redhat.com, java-sig-commits(a)lists.fedoraproject.org, jgoulding(a)redhat.com, jokerman(a)redhat.com, mchappel(a)redhat.com, mizdebsk(a)redhat.com, msrb(a)redhat.com Target Milestone: --- Classification: Other The previously implemented script security sandbox protections prohibiting the use of unsafe AST transforming annotations such as @Grab (2019-01-08 fix for SECURITY-1266) could be circumvented through use of various Groovy language features: * Use of AnnotationCollector * Import aliasing * Referencing annotation types using their full class name This allowed users with Overall/Read permission, or the ability to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master. Using AnnotationCollector is now newly prohibited in sandboxed scripts such as Pipelines. Importing any of the annotations considered unsafe will now result in an error. During the compilation phase, both simple and full class names of prohibited annotations are rejected for element annotations. -- You are receiving this mail because: You are on the CC list for the bug.