CVE-2019-1003001

Name of the Vulnerable Software and Affected Versions: Pipeline: Groovy Plugin versions 2.61 and earlier

Description: A sandbox bypass issue exists that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM by providing a pipeline script to an HTTP endpoint. The Jenkins Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected, allowing users with Overall/Read permission to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

Recommendations: For Pipeline: Groovy Plugin versions 2.61 and earlier, consider disabling the CpsFlowDefinition and CpsGroovyShellFactory classes until a patch is available. Restrict access to the pipeline validation REST APIs and actual script/pipeline execution to minimize the risk of exploitation. Avoid using AST transforming annotations such as @Grab in sandboxed scripts until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.