CVE-2019-10390

Name of the Vulnerable Software and Affected Versions Jenkins Splunk Plugin versions 1.7.4 and earlier

Description A sandbox bypass issue allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM by providing a Groovy script to an HTTP endpoint. This is possible because a form validation endpoint used to validate user-submitted Groovy scripts through compilation was not subject to sandbox protection, allowing the use of unsafe AST transforming annotations such as @Grab on source code elements.

Recommendations For Jenkins Splunk Plugin versions 1.7.4 and earlier, update to a version that applies a safe Groovy compiler configuration to prevent the use of unsafe AST transforming annotations. As a temporary workaround, consider restricting access to the form validation HTTP endpoint used for Groovy script validation to minimize the risk of exploitation.