https://bugzilla.redhat.com/show_bug.cgi?id=1684556
Bug ID: 1684556
Summary: CVE-2019-1003024 CVE-2019-1003024
jenkins-plugin-script-security: Sandbox Bypass in
Script Security Plugin (SECURITY-1320)
Product: Security Response
Hardware: All
OS: Linux
Status: NEW
Whiteboard: impact=important,public=20190219,reported=20190219,sou
rce=internet,cvss3=8.8/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:
U/C:H/I:H/A:H,cwe=CWE-96,openshift-enterprise-3.2/jenk
ins-plugin-script-security=wontfix,openshift-enterpris
e-3.3/jenkins-plugin-script-security=wontfix,openshift
-enterprise-3.4/jenkins-plugin-script-security=wontfix
,openshift-enterprise-3.5/jenkins-plugin-script-securi
ty=wontfix,openshift-enterprise-3.7/jenkins-plugin-scr
ipt-security=wontfix,openshift-enterprise-3.6/jenkins-
plugin-script-security=wontfix,openshift-enterprise-3.
9/jenkins-plugin-script-security=wontfix,openshift-ent
erprise-3.10/jenkins-plugin-script-security=wontfix,op
enshift-enterprise-3.11/jenkins-2-plugins=affected,fed
ora-all/jenkins-script-security-plugin=affected,opensh
ift-enterprise-4.0/jenkins-2-plugins=affected
Component: vulnerability
Keywords: Security
Severity: high
Priority: high
Assignee: security-response-team(a)redhat.com
Reporter: anemec(a)redhat.com
CC: ahardin(a)redhat.com, bleanhar(a)redhat.com,
ccoleman(a)redhat.com, dedgar(a)redhat.com,
eparis(a)redhat.com,
java-sig-commits(a)lists.fedoraproject.org,
jgoulding(a)redhat.com, jokerman(a)redhat.com,
mchappel(a)redhat.com, mizdebsk(a)redhat.com,
msrb(a)redhat.com
Target Milestone: ---
Classification: Other
The previously implemented script security sandbox protections prohibiting the
use of unsafe AST transforming annotations such as @Grab (2019-01-08 fix for
SECURITY-1266) could be circumvented through use of various Groovy language
features:
* Use of AnnotationCollector
* Import aliasing
* Referencing annotation types using their full class name
This allowed users with Overall/Read permission, or the ability to control
Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the
sandbox protection and execute arbitrary code on the Jenkins master.
Using AnnotationCollector is now newly prohibited in sandboxed scripts such as
Pipelines. Importing any of the annotations considered unsafe will now result
in an error. During the compilation phase, both simple and full class names of
prohibited annotations are rejected for element annotations.
--
You are receiving this mail because:
You are on the CC list for the bug.