CVE-2018-1000865: Improper Privilege Management in Jenkins
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.69936%
CWE
Published
5/13/2022
Updated
12/30/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:script-security | maven | <= 1.47 | 1.48 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability (CVE-2018-1000865) stems from improper handling of finalize()
methods in the Groovy sandbox. The commit diff shows added tests verifying that finalizers are blocked, and the groovy-sandbox
dependency was updated to 1.20 which includes the fix. The SandboxTransformer
is responsible for applying security transformations to Groovy code, and its failure to restrict finalize()
methods (a special JVM lifecycle method) created the sandbox bypass. The test cases explicitly check for SecurityException
when defining finalize()
methods, confirming this was the attack vector.