CloudBees Groovy View Plugin 1.10

1 minute read

RELEASED: Public: 2020-08-12

Security fixes

  • Groovy remove code execution (RCE) vulnerability in CloudBees Groovy View Plugin (CTR-1846)

    The CloudBees Groovy View sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements.

    This affected an HTTP endpoint used to validate a user-submitted Groovy script and allowed users to bypass the sandbox protection and execute arbitrary code on the Jenkins master.

    The affected HTTP endpoint now applies a safe Groovy compiler configuration prohibiting unsafe AST transforming annotations.

New features

None.

Resolved issues

  • Internal changes to streamline development. Not user visible. (CTR-1239)

Known issues

None.

Upgrade notes

None.