Miggo Logo

CVE-2018-1000866:
Jenkins Script Security and Pipeline Groovy Plugins Sandbox Bypass

8.8

CVSS Score
3.0

Basic Information

EPSS Score
0.69936%
Published
5/13/2022
Updated
1/9/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins.workflow:workflow-cpsmaven< 2.602.60
org.jenkins-ci.plugins:script-securitymaven< 1.481.48

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the Groovy sandbox's failure to restrict finalize() method overrides. Both SandboxTransformer (from script-security plugin) and SandboxCpsTransformer (from workflow-cps plugin) didn't properly validate() these methods during AST transformation. Attackers could define classes with finalize() methods that would execute outside sandbox constraints. The patches (e.g., adding forbidIfFinalizer checks in visitMethod) and test cases in commits 16c862a/0eb89aa/e1c56eb confirm these were the vulnerable points. The transformers' method processing logic was missing finalizer validation, making these functions the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s*n**ox *yp*ss vuln*r**ility *xists in Pip*lin*: *roovy Plu*in *.** *n* **rli*r in *roovy-s*n**ox/sr*/m*in/j*v*/or*/ko*suk*/*roovy/s*n**ox/S*n**oxTr*ns*orm*r.j*v*, *roovy-*ps/li*/sr*/m*in/j*v*/*om/*lou****s/*roovy/*ps/S*n**ox*psTr*ns*orm*r.j*v* t**

Reasoning

T** vuln*r**ility st*ms *rom t** *roovy s*n**ox's **ilur* to r*stri*t `*in*liz*()` m*t*o* ov*rri**s. *ot* `S*n**oxTr*ns*orm*r` (*rom `s*ript-s**urity` plu*in) *n* `S*n**ox*psTr*ns*orm*r` (*rom `work*low-*ps` plu*in) *i*n't prop*rly `v*li**t*()` t**s*