Описание
A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM.
A flaw was found in the Jenkins Job DSL plugin. Parsing, compilation, and script instantiations provided by a crafted Groovy script could escape the sandbox allowing users to execute arbitrary code on the Jenkins master. The highest risk from this vulnerability is to data confidentiality and integrity as well as system availability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 4 | jenkins-2-plugins | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins-2-plugins | Fixed | RHSA-2019:0739 | 10.04.2019 |
Показывать по
Дополнительная информация
Статус:
8.8 High
CVSS3
Связанные уязвимости
A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM.
Script security sandbox bypass in Jenkins Job DSL Plugin
Уязвимость компонентов AbstractDslScriptLoader.groovy, JobDslWhitelist.groovy, SandboxDslScriptLoader.groovy плагина Jenkins Job DSL, позволяющая нарушителю выполнить произвольный код
8.8 High
CVSS3