CVE-2018-1000866:
Jenkins Script Security and Pipeline Groovy Plugins Sandbox Bypass
8.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.69936%
CWE
Published
5/13/2022
Updated
1/9/2024
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins.workflow:workflow-cps | maven | < 2.60 | 2.60 |
org.jenkins-ci.plugins:script-security | maven | < 1.48 | 1.48 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from the Groovy sandbox's failure to restrict finalize()
method overrides. Both SandboxTransformer
(from script-security
plugin) and SandboxCpsTransformer
(from workflow-cps
plugin) didn't properly validate()
these methods during AST transformation. Attackers could define classes with finalize()
methods that would execute outside sandbox constraints. The patches (e.g., adding forbidIfFinalizer
checks in visitMethod
) and test cases in commits 16c862a/0eb89aa/e1c56eb
confirm these were the vulnerable points. The transformers' method processing logic was missing finalizer validation, making these functions the root cause.