CVE-2018-1000865

CWE-269Improper Privilege ManagementCWE-94Code Injection8 documents7 sources
Severity
8.8HIGH
EPSS
0.6%
top 30.11%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Script SecurityRedhat Openshift Container Platform
Timeline
PublishedDec 10
Latest updateMay 13

Description

A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy sandbox are installed.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

Also affects: Openshift Container Platform 3.11

🔴Vulnerability Details

3
OSV
Improper Privilege Management in Jenkins2022-05-13
GHSA
Improper Privilege Management in Jenkins2022-05-13
CVEList
CVE-2018-1000865: A sandbox bypass vulnerability exists in Script Security Plugin 12018-12-10

📋Vendor Advisories

2
Red Hat
jenkins-plugin-script-security: Sandbox Bypass in finalize methods2018-10-29
Jenkins
Jenkins Security Advisory 2018-10-292018-10-29

💬Community

2
Bugzilla
CVE-2018-1000865 CVE-2018-1000866 jenkins-script-security-plugin: jenkins-plugin-script-security: Sandbox Bypass in finalize methods [fedora-all]2018-11-06
Bugzilla
CVE-2018-1000865 CVE-2018-1000866 jenkins-plugin-script-security: Sandbox Bypass in finalize methods2018-11-06
CVE-2018-1000865 (HIGH CVSS 8.8) | A sandbox bypass vulnerability exis | cvebase.io