6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.005 Low
EPSS
Percentile
77.3%
The previously implemented script security sandbox protections prohibiting the use of unsafe AST transforming annotations such as @Grab
(2019-01-08 fix for SECURITY-1266) could be circumvented through use of various Groovy language features:
AnnotationCollector
This allowed users with Overall/Read permission, or the ability to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.
Using AnnotationCollector
is now newly prohibited in sandboxed scripts such as Pipelines. Importing any of the annotations considered unsafe will now result in an error. During the compilation phase, both simple and full class names of prohibited annotations are rejected for element annotations.
CPE | Name | Operator | Version |
---|---|---|---|
org.jenkins-ci.plugins:script-security | le | 1.52 |
access.redhat.com/errata/RHSA-2019:0739
github.com/advisories/GHSA-jgpm-2862-q5m8
github.com/jenkinsci/script-security-plugin/commit/3228c88e84f0b2f24845b6466cae35617e082059
jenkins.io/security/advisory/2019-02-19/#SECURITY-1320
nvd.nist.gov/vuln/detail/CVE-2019-1003024
web.archive.org/web/20200227084947/www.securityfocus.com/bid/107295
6.5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.005 Low
EPSS
Percentile
77.3%