8.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000866

GHSA ID

GHSA-gqhm-4h93-rrhg

EPSS Score

0.69936%

CWE

CWE-269

Published

5/13/2022

Updated

1/9/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2018-1000866

CVE-2018-1000866:
Jenkins Script Security and Pipeline Groovy Plugins Sandbox Bypass

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM

(GitHub Advisory)

8.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2018-1000866

GHSA ID

GHSA-gqhm-4h93-rrhg

EPSS Score

0.69936%

CWE

CWE-269

Published

5/13/2022

Updated

1/9/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins.workflow:workflow-cps	maven	< 2.60	2.60
org.jenkins-ci.plugins:script-security	maven	< 1.48	1.48

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the Groovy sandbox's failure to restrict finalize() method overrides. Both SandboxTransformer (from script-security plugin) and SandboxCpsTransformer (from workflow-cps plugin) didn't properly validate() these methods during AST transformation. Attackers could define classes with finalize() methods that would execute outside sandbox constraints. The patches (e.g., adding forbidIfFinalizer checks in visitMethod) and test cases in commits 16c862a/0eb89aa/e1c56eb confirm these were the vulnerable points. The transformers' method processing logic was missing finalizer validation, making these functions the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s*n**ox *yp*ss vuln*r**ility *xists in Pip*lin*: *roovy Plu*in *.** *n* **rli*r in *roovy-s*n**ox/sr*/m*in/j*v*/or*/ko*suk*/*roovy/s*n**ox/S*n**oxTr*ns*orm*r.j*v*, *roovy-*ps/li*/sr*/m*in/j*v*/*om/*lou****s/*roovy/*ps/S*n**ox*psTr*ns*orm*r.j*v* t**

Reasoning

T** vuln*r**ility st*ms *rom t** *roovy s*n**ox's **ilur* to r*stri*t `*in*liz*()` m*t*o* ov*rri**s. *ot* `S*n**oxTr*ns*orm*r` (*rom `s*ript-s**urity` plu*in) *n* `S*n**ox*psTr*ns*orm*r` (*rom `work*low-*ps` plu*in) *i*n't prop*rly `v*li**t*()` t**s*

8.8

Basic Information

Concerned about an active attack path?

CVE-2018-1000866: Jenkins Script Security and Pipeline Groovy Plugins Sandbox Bypass

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2018-1000866:
Jenkins Script Security and Pipeline Groovy Plugins Sandbox Bypass

Vulnerability Intelligence
Miggo AI