RELEASED: Public: 2020-08-12
Security fixes
-
Groovy remove code execution (RCE) vulnerability in CloudBees Groovy View Plugin (CTR-1846)
The CloudBees Groovy View sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as
@Grab
to source code elements.This affected an HTTP endpoint used to validate a user-submitted Groovy script and allowed users to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.
The affected HTTP endpoint now applies a safe Groovy compiler configuration prohibiting unsafe AST transforming annotations.