CVE-2018-1000866

Published: 2018-12-10T14:29Z

Last Modified: 2024-11-21T03:40Z

Source: MITRE CVE List

License: MITRE-CVE-TOS

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java, groovy-cps/lib/src/main/java/com/cloudbees/groovy/cps/SandboxCpsTransformer.java that allows attackers with Job/Configure permission, or unauthorized attackers with SCM commit privileges and corresponding pipelines based on Jenkinsfiles set up in Jenkins, to execute arbitrary code on the Jenkins master JVM > MITRE Terms of Use apply – see LICENSE‑MITRE.txt