Miggo Logo

CVE-2018-1000865: Improper Privilege Management in Jenkins

8.8

CVSS Score
3.0

Basic Information

EPSS Score
0.69936%
Published
5/13/2022
Updated
12/30/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:script-securitymaven<= 1.471.48

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CVE-2018-1000865) stems from improper handling of finalize() methods in the Groovy sandbox. The commit diff shows added tests verifying that finalizers are blocked, and the groovy-sandbox dependency was updated to 1.20 which includes the fix. The SandboxTransformer is responsible for applying security transformations to Groovy code, and its failure to restrict finalize() methods (a special JVM lifecycle method) created the sandbox bypass. The test cases explicitly check for SecurityException when defining finalize() methods, confirming this was the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s*n**ox *yp*ss vuln*r**ility *xists in S*ript S**urity Plu*in *.** *n* **rli*r in *roovy-s*n**ox/sr*/m*in/j*v*/or*/ko*suk*/*roovy/s*n**ox/S*n**oxTr*ns*orm*r.j*v* t**t *llows *tt**k*rs wit* Jo*/*on*i*ur* p*rmission to *x**ut* *r*itr*ry *o** on t** J

Reasoning

T** vuln*r**ility (*V*-****-*******) st*ms *rom improp*r **n*lin* o* `*in*liz*()` m*t*o*s in t** *roovy s*n**ox. T** *ommit *i** s*ows ***** t*sts v*ri*yin* t**t *in*liz*rs *r* *lo*k**, *n* t** `*roovy-s*n**ox` **p*n**n*y w*s up**t** to *.** w*i** in