CVE-2018-1000865 : What You Need to Know
Learn about CVE-2018-1000865, a security vulnerability in Script Security Plugin allowing unauthorized code execution on Jenkins master JVM. Find mitigation steps here.
A security vulnerability in versions 1.47 and earlier of the Script Security Plugin allows attackers to run unauthorized code on the Jenkins master JVM.
Understanding CVE-2018-1000865
This CVE involves a sandbox bypass vulnerability in the Script Security Plugin.
What is CVE-2018-1000865?
- Attackers with Job/Configure permission can execute arbitrary code on the Jenkins master JVM if plugins using the Groovy sandbox are installed.
The Impact of CVE-2018-1000865
- Unauthorized code execution on the Jenkins master JVM.
Technical Details of CVE-2018-1000865
The vulnerability details and affected systems.
Vulnerability Description
- The vulnerability is in the SandboxTransformer.java file in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/.
Affected Systems and Versions
- Versions 1.47 and earlier of the Script Security Plugin.
Exploitation Mechanism
- Attackers with Job/Configure permission can exploit the vulnerability to run unauthorized code on the Jenkins master JVM.
Mitigation and Prevention
Steps to mitigate and prevent the vulnerability.
Immediate Steps to Take
- Update the Script Security Plugin to a non-vulnerable version.
- Restrict Job/Configure permissions to trusted users.
Long-Term Security Practices
- Regularly monitor and update Jenkins plugins.
- Implement the principle of least privilege for user permissions.
Patching and Updates
- Apply patches provided by Jenkins and plugin vendors.