GHSA-27rf-8mjp-r363

Suggest an improvement
Source
https://github.com/advisories/GHSA-27rf-8mjp-r363
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-27rf-8mjp-r363/GHSA-27rf-8mjp-r363.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-27rf-8mjp-r363
Aliases
Published
2022-10-19T19:00:21Z
Modified
2023-11-01T05:00:12.827872Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin
Details

Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed.

Multiple sandbox bypass vulnerabilities exist in Script Security Plugin and Pipeline: Groovy Plugin:

  • In Script Security Plugin 1183.v774b0b0aa451 and earlier and in Pipeline: Groovy Plugin 2802.v5ea628154bc2 and earlier, various casts performed implicitly by the Groovy language runtime were not intercepted by the sandbox. This includes casts performed when returning values from methods, when assigning local variables, fields, properties, and when defining default arguments for closure, constructor, and method parameters (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).
  • In Script Security Plugin 1183.v774b0b0aa451 and earlier, when casting an array-like value to an array type, per-element casts to the component type of the array are not intercepted by the sandbox (CVE-2022-43403).
  • In Script Security Plugin 1183.v774b0b0aa451 and earlier, crafted constructor bodies and calls to sandbox-generated synthetic constructors can be used to construct any subclassable type (due to an incomplete fix for SECURITY-1754 in the 2020-03-09 security advisory) (CVE-2022-43404).

These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

These vulnerabilities have been fixed:

  • Script Security Plugin 1184.v85d16bd851b3 and Pipeline: Groovy Plugin 2803.v1a_f77ffcc773 intercept Groovy casts performed implicitly by the Groovy language runtime (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).
  • Script Security Plugin 1184.v85d16bd851b3 intercepts per-element casts when casting array-like values to array types (CVE-2022-43403).
  • Script Security Plugin 1184.v85d16bd851b3 rejects improper calls to sandbox-generated synthetic constructors (CVE-2022-43404).

Both plugins, Script Security Plugin and Pipeline: Groovy Plugin must be updated simultaneously. While Script Security Plugin could be updated independently, doing so would cause errors in Pipeline: Groovy Plugin due to an incompatible API change.

References

Affected packages

Maven / org.jenkins-ci.plugins:script-security

Package

Name
org.jenkins-ci.plugins:script-security
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/script-security

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1184.v85d16b_d851b_3

Database specific

{
    "last_known_affected_version_range": "< 1184.v85d16b"
}

Maven / org.jenkins-ci.plugins.workflow:workflow-cps

Package

Name
org.jenkins-ci.plugins.workflow:workflow-cps
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2803.v1a_f77ffcc773

Database specific

{
    "last_known_affected_version_range": "<= 2802.v5ea"
}