https://bugzilla.redhat.com/show_bug.cgi?id=1471060
Bug ID: 1471060 Summary: CVE-2017-1000095 jenkins-plugin-script-security: Unsafe methods in the default whitelist (SECURITY-538) Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: bleanhar@redhat.com, ccoleman@redhat.com, dedgar@redhat.com, dmcphers@redhat.com, java-sig-commits@lists.fedoraproject.org, jgoulding@redhat.com, jkeck@redhat.com, joelsmith@redhat.com, kseifried@redhat.com, mizdebsk@redhat.com, msrb@redhat.com
The default whitelist included the entries:
DefaultGroovyMethods.putAt(Object, String, Object) DefaultGroovyMethods.getAt(Object, String)
These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild.
Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security:
groovy.json.JsonOutput.toJson(Closure) groovy.json.JsonOutput.toJson(Object)
External References:
https://jenkins.io/security/advisory/2017-07-10/
https://bugzilla.redhat.com/show_bug.cgi?id=1471060
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |jenkins-plugin-script-secur | |ity 1.29.1
https://bugzilla.redhat.com/show_bug.cgi?id=1471060
--- Comment #1 from Adam Mariš amaris@redhat.com --- Acknowledgments:
Name: the Jenkins project
https://bugzilla.redhat.com/show_bug.cgi?id=1471060
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1471061
--- Comment #2 from Adam Mariš amaris@redhat.com --- Created jenkins-script-security-plugin tracking bugs for this issue:
Affects: fedora-all [bug 1471061]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1471061 [Bug 1471061] CVE-2017-1000095 jenkins-script-security-plugin: jenkins-plugin-script-security: Unsafe methods in the default whitelist (SECURITY-538) [fedora-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1471060
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1471067
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1472032
https://bugzilla.redhat.com/show_bug.cgi?id=1471060
Trevor Jay tjay@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED CC| |tjay@redhat.com Resolution|--- |WONTFIX Last Closed| |2017-08-14 12:43:05
--- Comment #4 from Trevor Jay tjay@redhat.com --- This flaw has a low impact as used in Red Hat products. Closing WONTFIX.
https://bugzilla.redhat.com/show_bug.cgi?id=1471060
--- Doc Text *updated* by Kurt Seifried kseifried@redhat.com --- The jenkins-plugin-script-security improperly whitelisted "DefaultGroovyMethods.putAt(Object, String, Object)" and "DefaultGroovyMethods.getAt(Object, String)" which allow attackers to bypass many restrictions and potentially trigger builds or access data they should not have access to. Please note that exploitation of this requires the attacker to have access to the Jenkins instance, and for that Jenkins instance to be hosting other projects as well that the attacker should not have access to.
https://bugzilla.redhat.com/show_bug.cgi?id=1471060
--- Doc Text *updated* by Kurt Seifried kseifried@redhat.com --- The jenkins-plugin-script-security improperly whitelisted "DefaultGroovyMethods.putAt(Object, String, Object)" and "DefaultGroovyMethods.getAt(Object, String)" which allows attackers to bypass many restrictions and potentially trigger builds or access data they should not have access to. Please note that exploitation of this requires the attacker to have access to the Jenkins instance, and for that Jenkins instance to be hosting other projects as well that the attacker should not have access to.
https://bugzilla.redhat.com/show_bug.cgi?id=1471060
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- The jenkins-plugin-script-security improperly whitelisted "DefaultGroovyMethods.putAt(Object, String, Object)" and "DefaultGroovyMethods.getAt(Object, String)" which allows attackers to bypass many restrictions and potentially trigger builds or access data they should not have access to. Exploitation of this requires the attacker to have access to the Jenkins instance, and for that Jenkins instance to be hosting other projects as well that the attacker should not have access to.
https://bugzilla.redhat.com/show_bug.cgi?id=1471060
Trevor Jay tjay@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|high |low Whiteboard|impact=important,public=201 |impact=low,public=20170710, |70710,reported=20170707,sou |reported=20170707,source=di |rce=distros,cvss3=8.8/CVSS: |stros,cvss3=5.2/CVSS:3.0/AV |3.0/AV:N/AC:L/PR:L/UI:N/S:U |:L/AC:L/PR:H/UI:R/S:C/C:L/I |/C:H/I:H/A:H,cwe=CWE-184,op |:L/A:L,cwe=CWE-184,openshif |enshift-enterprise-3/jenkin |t-enterprise-3/jenkins-plug |s-plugin-script-security=ne |in-script-security=new,fedo |w,fedora-all/jenkins-script |ra-all/jenkins-script-secur |-security-plugin=affected |ity-plugin=affected Severity|high |low
https://bugzilla.redhat.com/show_bug.cgi?id=1471060
Trevor Jay tjay@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|low |high Whiteboard|impact=low,public=20170710, |impact=important,public=201 |reported=20170707,source=di |70710,reported=20170707,sou |stros,cvss3=5.2/CVSS:3.0/AV |rce=distros,cvss3=8.8/CVSS: |:L/AC:L/PR:H/UI:R/S:C/C:L/I |3.0/AV:N/AC:L/PR:L/UI:N/S:U |:L/A:L,cwe=CWE-184,openshif |/C:H/I:H/A:H,cwe=CWE-184,op |t-enterprise-3/jenkins-plug |enshift-enterprise-3/jenkin |in-script-security=new,fedo |s-plugin-script-security=af |ra-all/jenkins-script-secur |fected/impact=low/cvss3=5.2 |ity-plugin=affected |/CVSS:3.0/AV:L/AC:L/PR:H/UI | |:R/S:C/C:L/I:L/A:L,fedora-a | |ll/jenkins-script-security- | |plugin=affected Severity|low |high
https://bugzilla.redhat.com/show_bug.cgi?id=1471060
Trevor Jay tjay@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70710,reported=20170707,sou |70710,reported=20170707,sou |rce=distros,cvss3=8.8/CVSS: |rce=distros,cvss3=8.8/CVSS: |3.0/AV:N/AC:L/PR:L/UI:N/S:U |3.0/AV:N/AC:L/PR:L/UI:N/S:U |/C:H/I:H/A:H,cwe=CWE-184,op |/C:H/I:H/A:H,cwe=CWE-184,op |enshift-enterprise-3/jenkin |enshift-enterprise-3/jenkin |s-plugin-script-security=af |s-plugin-script-security=wo |fected/impact=low/cvss3=5.2 |ntfix/impact=low/cvss3=5.2/ |/CVSS:3.0/AV:L/AC:L/PR:H/UI |CVSS:3.0/AV:L/AC:L/PR:H/UI: |:R/S:C/C:L/I:L/A:L,fedora-a |R/S:C/C:L/I:L/A:L,fedora-al |ll/jenkins-script-security- |l/jenkins-script-security-p |plugin=affected |lugin=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1471060 Bug 1471060 depends on bug 1471061, which changed state.
Bug 1471061 Summary: CVE-2017-1000095 jenkins-script-security-plugin: jenkins-plugin-script-security: Unsafe methods in the default whitelist (SECURITY-538) [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1471061
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |CLOSED Resolution|--- |EOL
https://bugzilla.redhat.com/show_bug.cgi?id=1471060 Bug 1471060 depends on bug 1471061, which changed state.
Bug 1471061 Summary: CVE-2017-1000095 jenkins-script-security-plugin: jenkins-plugin-script-security: Unsafe methods in the default whitelist (SECURITY-538) [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1471061
What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |NEW Resolution|EOL |---
java-sig-commits@lists.fedoraproject.org