Описание
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.
A flaw was found in the Jenkins Workflow CPS plugin. Groovy Plugins could be circumvented through methods supporting type casts and type coercion allowing attackers to invoke constructors for arbitrary types. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.10 | jenkins-plugin-workflow-cps | Will not fix | ||
| Red Hat OpenShift Container Platform 3.4 | jenkins-plugin-workflow-cps | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.5 | jenkins-plugin-workflow-cps | Out of support scope | ||
| Red Hat OpenShift Container Platform 3.6 | jenkins-plugin-workflow-cps | Will not fix | ||
| Red Hat OpenShift Container Platform 3.7 | jenkins-plugin-workflow-cps | Will not fix | ||
| Red Hat OpenShift Container Platform 3.9 | jenkins-plugin-workflow-cps | Will not fix | ||
| Red Hat OpenShift Container Platform 4 | jenkins-2-plugins | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins-2-plugins | Fixed | RHSA-2019:1423 | 10.06.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.8 High
CVSS3
Связанные уязвимости
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.
Sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin
Уязвимость плагина Jenkins Pipeline Groovy, связанная с неправильным преобразованием типов, позволяющая нарушителю вызывать произвольные конструкторы
EPSS
8.8 High
CVSS3