Vulnerability Description
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Pipeline\ | <= 2.59, _groovy |
| Redhat | Openshift Container Platform | 3.11 |
Related Weaknesses (CWE)
References
- https://access.redhat.com/errata/RHBA-2019:0326Third Party Advisory
- https://access.redhat.com/errata/RHBA-2019:0327Third Party Advisory
- https://jenkins.io/security/advisory/2018-10-29/#SECURITY-1186Vendor Advisory
- https://access.redhat.com/errata/RHBA-2019:0326Third Party Advisory
- https://access.redhat.com/errata/RHBA-2019:0327Third Party Advisory
- https://jenkins.io/security/advisory/2018-10-29/#SECURITY-1186Vendor Advisory
FAQ
What is CVE-2018-1000866?
CVE-2018-1000866 is a vulnerability with a CVSS score of 8.8 (HIGH). A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/c...
How severe is CVE-2018-1000866?
CVE-2018-1000866 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2018-1000866?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Pipeline\, Redhat Openshift Container Platform.