CVE-2019-1003002

Name of the Vulnerable Software and Affected Versions: Pipeline: Declarative Plugin versions 1.3.3 and earlier

Description: A sandbox bypass issue exists that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM by providing a pipeline script to an HTTP endpoint. The Jenkins Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements. Both the pipeline validation REST APIs and actual script/pipeline execution are affected, allowing users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

Recommendations: For Pipeline: Declarative Plugin versions 1.3.3 and earlier, consider disabling the use of AST transforming annotations such as @Grab in sandboxed scripts until a patch is available. Restrict access to the pipeline validation REST APIs and actual script/pipeline execution to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.