Jenkins Splunk Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins controller by applying AST transforming annotations such as `@Grab` to source code elements.

The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations.

Affected Packages

Maven com.splunk.splunkins:splunk-devops

Affected versions: 0 (fixed in 1.8.0)

Related CVEs

CVE-2019-10390

Key Information

GHSA ID

GHSA-cjr8-5rw4-wh65

Published

May 24, 2022 4:55 PM

Last Modified

October 26, 2023 11:01 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

com.splunk.splunkins:splunk-devops

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 27, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.