CVE-2018-1000866
published 2018-12-10CVE-2018-1000866: A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer…
high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | groovy_plugin | — | — |
| jenkins | groovy_sandbox_library_used_by_script_security_plugin | — | — |
| jenkins | pipeline | <= 2.59 | — |
| jenkins | pipeline_groovy_plugin | — | — |
| jenkins | script_security_plugin | — | — |
| redhat | openshift_container_platform | — | — |