CVE-2018-1000865

A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM, if plugins using the Groovy sandbox are installed.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
mitreCNA
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 69%
VendorProductVersion
jenkinsscript_security
𝑥
≤ 1.47
redhatopenshift_container_platform
3.11
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://access.redhat.com/errata/RHBA-2019:0326
https://access.redhat.com/errata/RHBA-2019:0327
https://jenkins.io/security/advisory/2018-10-29/#SECURITY-1186
https://access.redhat.com/errata/RHBA-2019:0326
https://access.redhat.com/errata/RHBA-2019:0327
https://jenkins.io/security/advisory/2018-10-29/#SECURITY-1186