Arbitrary code execution outside sandbox
Summary
Jenkins Script Security Plugin 1402.v94c9ce464861 and earlier does not reject Groovy AST transformation annotations carrying an extensions member, allowing attackers able to run sandboxed Groovy scripts to execute code outside the sandbox if a suitable script is present on the classpath of the component that evaluates the script. A flaw was found in the Jenkins Script Security Plugin. Attackers with the ability to run sandboxed Groovy scripts can exploit this vulnerability to execute arbitrary code outside the sandbox environment. This is due to the plugin's failure to reject Groovy Abstract Syntax Tree (AST) transformation annotations that include an extensions member, allowing unauthorized script execution if a suitable script exists on the classpath. This flaw has an Important impact as the Jenkins Script Security Plugin shipped in Red Hat OpenShift Container Platform is susceptible to a sandbox bypass. An authenticated attacker with the ability to run sandboxed Groovy scripts can exploit improperly handled AST transformation annotations to execute arbitrary code outside the sandbox on the Jenkins controller. Exploitation requires a suitable script to be present on the classpath, increasing attack complexity. Red Hat severity: Important — CVSS 8.5 (CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H). Weakness: CWE-917. No fixing RHSA erratum has published yet; monitor the Red Hat CVE page and patch when it ships.
Mitigation checklist
- Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
Official advisory · high-confidence parse· fetched 6 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.