CVE-2019-1003024

Name of the Vulnerable Software and Affected Versions Jenkins Script Security Plugin versions 1.52 and earlier

Description A sandbox bypass issue exists that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM by providing a Groovy script to an HTTP endpoint. The vulnerability is related to errors in processing AST annotations in the RejectASTTransformsCustomizer.java component. It can be exploited by remotely bypassing sandbox protections, which were previously implemented to prohibit the use of unsafe AST transforming annotations. The protections could be circumvented using various Groovy language features, including the use of AnnotationCollector, import aliasing, and referencing annotation types using their full class name.

Recommendations For Jenkins Script Security Plugin versions 1.52 and earlier, consider updating to a version that prohibits the use of AnnotationCollector in sandboxed scripts and rejects prohibited annotations during the compilation phase. As a temporary workaround, restrict access to the RejectASTTransformsCustomizer.java component and avoid using unsafe AST transforming annotations such as @Grab in Groovy scripts.