logo

Database

Improper authorization control for web services In org.jenkins-ci.plugins:groovy

Description

Jenkins Groovy Plugin sandbox bypass vulnerability A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. In version 2.1, the affected HTTP endpoint applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2019-10030062. NVD-2019-10030063. OSV-2019-10030064. GCVE-2019-1003006

References

1. https://github.com/jenkinsci/groovy-plugin/commit/212e048a319ae32dad4cfec5e73a885a9f4781f02. https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1293

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.