SB2019012210 - Sandbox restrictions bypass in Pipeline: Declarative plugin for Jenkins

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper access control (CVE-ID: CVE-2019-1003002)

The vulnerability allows a remote attacker to bypass sandbox restrictions.

The vulnerability exists due to improper access restrictions in "pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/parser/Converter.groovy" when applying AST transforming annotations such as @Grab to source code elements. A remote authenticated attacker with Overall/Read permission, or able to control Jenkins file or sandboxed Pipeline shared library contents in SCM, can provide a pipeline script to an HTTP endpoint and execute arbitrary code on the Jenkins master JVM.

Remediation

Install update from vendor's website.

References

• http://packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.html
• https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266