https://bugzilla.redhat.com/show_bug.cgi?id=1735515
Bug ID: 1735515 Summary: CVE-2019-10355 jenkins-plugin-script-security: Sandbox bypass through type casts in Script Security Plugin Product: Security Response Hardware: All OS: Linux Status: NEW Whiteboard: impact=important,public=20190801,reported=20190801,sou rce=internet,cvss3=8.8/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S: U/C:H/I:H/A:H,cwe=CWE-704,fedora-all/jenkins-script-se curity-plugin=affected,openshift-enterprise-3.9/jenkin s-script-security-plugin=new,openshift-enterprise-3.10 /jenkins-script-security-plugin=new,openshift-enterpri se-3.11/jenkins-2-plugins=new,openshift-enterprise-4.1 /jenkins-2-plugins=new,openshift-4.2/jenkins-2-plugins =new Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: sfowler@redhat.com CC: abenaiss@redhat.com, ahardin@redhat.com, bleanhar@redhat.com, ccoleman@redhat.com, dedgar@redhat.com, eparis@redhat.com, java-sig-commits@lists.fedoraproject.org, jgoulding@redhat.com, jokerman@redhat.com, mchappel@redhat.com, mizdebsk@redhat.com, msrb@redhat.com, vbobade@redhat.com Target Milestone: --- Classification: Other
Sandbox protection in Jenkins Script Security Plugin could be circumvented by casting crafted objects to other types. This allowed attackers able to specify sandboxed scripts to invoke constructors that weren’t whitelisted.
Additionally, this could be used to read arbitrary files on the Jenkins master.
Casting collections to other types as an alternative syntax for constructor invocation is now only allowed when the collection type is defined in java.util, and prohibited otherwise. Casting files and enums to arrays is now intercepted by the sandbox and treated as the invocation of an equivalent method.
External References:
https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1465%20(1)