CVE-2019-1003006

Name of the Vulnerable Software and Affected Versions: Jenkins Groovy Plugin versions 2.0 and earlier

Description: A sandbox bypass issue allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint, resulting in arbitrary code execution on the Jenkins master JVM. The issue is related to the src/main/java/hudson/plugins/groovy/StringScriptSource.java file. In version 2.1, the affected HTTP endpoint applies a safe Groovy compiler configuration, preventing the use of unsafe AST transforming annotations.

Recommendations: For Jenkins Groovy Plugin versions 2.0 and earlier, update to version 2.1 or later to apply a safe Groovy compiler configuration that prevents the use of unsafe AST transforming annotations. As a temporary workaround, consider restricting access to the HTTP endpoint that allows Groovy script execution until a patch is available.