Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2018-1000866

Опубликовано: 29 окт. 2018
Источник: redhat
CVSS3: 8.8
EPSS Низкий

Описание

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM

Меры по смягчению последствий

Do not run untrusted jenkins pipeline scripts.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat OpenShift Container Platform 3.10jenkins-plugin-script-securityAffected
Red Hat OpenShift Container Platform 3.10jenkins-plugin-workflow-cpsAffected
Red Hat OpenShift Container Platform 3.11jenkins-plugin-script-securityAffected
Red Hat OpenShift Container Platform 3.2jenkins-plugin-script-securityAffected
Red Hat OpenShift Container Platform 3.2jenkins-plugin-workflow-cpsAffected
Red Hat OpenShift Container Platform 3.3jenkins-plugin-script-securityAffected
Red Hat OpenShift Container Platform 3.3jenkins-plugin-workflow-cpsAffected
Red Hat OpenShift Container Platform 3.4jenkins-plugin-script-securityAffected
Red Hat OpenShift Container Platform 3.4jenkins-plugin-workflow-cpsAffected
Red Hat OpenShift Container Platform 3.5jenkins-plugin-script-securityAffected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-94
https://bugzilla.redhat.com/show_bug.cgi?id=1647059jenkins-plugin-script-security: Sandbox Bypass in finalize methods

EPSS

Процентиль: 69%
0.00615
Низкий

8.8 High

CVSS3

Связанные уязвимости

nvd логотип

CVE-2018-1000866

CVSS3: 8.8
nvd
около 7 лет назад

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM

debian логотип

CVE-2018-1000866

CVSS3: 8.8
debian
около 7 лет назад

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 ...

github логотип

GHSA-gqhm-4h93-rrhg

CVSS3: 8.8
github
больше 3 лет назад

Jenkins Script Security and Pipeline Groovy Plugins Sandbox Bypass

EPSS

Процентиль: 69%
0.00615
Низкий

8.8 High

CVSS3