cbcvebase.
CVE-2019-1003001
published 2019-01-22

CVE-2019-1003001: A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java…

high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

Affected

6 ranges
VendorProductVersion rangeFixed in
jenkinsdeclarative_plugin
jenkinsgroovy_plugin
jenkinspipeline<= 2.61
jenkinsscript_security_plugin
jenkins_projectpipeline_groovy_plugin
redhatopenshift_container_platform

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH