Re: Script sandbox bypass in multiple Jenkins plugins

[Daniel Beck <ml () beckweb net>]

> On 29. Oct 2018, at 14:42, Daniel Beck <ml () beckweb net> wrote:
>
> SECURITY-1186
> The Groovy Sandbox library used by Script Security Plugin and Pipeline Groovy
> Plugin did not apply sandbox restrictions to finalize methods. This could be
> used to invoke arbitrary constructors and methods, bypassing sandbox
> protection.
>
> Finalize methods are now prohibited in classes subject to sandbox security.

CVE-2018-1000865 (Script Security Plugin) and CVE-2018-1000866 (Pipeline: Groovy Plugin)