Sandbox Bypass

Affecting org.jenkins-ci.plugins:script-security artifact, versions [,1.50)

Overview

org.jenkins-ci.plugins:script-security is a allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Affected versions of this package are vulnerable to Sandbox Bypass. A malicious user with Overall/Read permission, or able to control Jenkins file or sandboxed Pipeline shared library contents in SCM, could bypass the sandbox protection and execute arbitrary code on the Jenkins master.

Remediation

Upgrade org.jenkins-ci.plugins:script-security to version 1.50 or higher.

References

Do your applications use this vulnerable package?

CVSS Score

8.8
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    Low
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    High
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Credit
Orange Tsai
CVE
CVE-2019-1003000
CWE
CWE-265
Snyk ID
SNYK-JAVA-ORGJENKINSCIPLUGINS-73604
Disclosed
22 Jan, 2019
Published
22 Jan, 2019