CloudBees Groovy View Plugin 1.8.1

1 minute read

RELEASED: Public: 2020-08-12

Security advisory

https://www.cloudbees.com/security-advisories/cloudbees-security-advisory-2020-08-12

Security fixes

  • Groovy remove code execution (RCE) vulnerability in CloudBees Groovy View Plugin (CTR-1846)

    The CloudBees Groovy View sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements.

    This affected an HTTP endpoint used to validate a user-submitted Groovy script and allowed users to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

    The affected HTTP endpoint now applies a safe Groovy compiler configuration prohibiting unsafe AST transforming annotations.

New features

None.

Resolved issues

None.

Known issues

None.

Upgrade notes

None.