PT-2019-11327 · Jenkins · Jenkins Groovy Plugin+1
Georgy Noseevich
+1
·
Published
2019-03-08
·
Updated
2023-10-25
·
CVE-2019-1003033
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Jenkins Groovy Plugin versions 2.1 and earlier
Description:
A sandbox bypass issue exists that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM. The issue is related to the
src/main/java/hudson/plugins/groovy/StringScriptSource.java file.Recommendations:
For Jenkins Groovy Plugin versions 2.1 and earlier, update to version 2.2 or later, which uses Script Security APIs to apply sandbox protection.
As a temporary workaround, consider restricting access to the Jenkins master JVM to minimize the risk of exploitation.
Fix
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Groovy Plugin