CVE-2019-1003005 — Protection Mechanism Failure in Jenkins Script Security

CWE-693 — Protection Mechanism Failure CWE-96 — Static Code Injection8 documents7 sources

Severity

8.8HIGHNVD

EPSS

74.2%

top 1.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Script Security Jenkins Project Jenkins Script Security Plugin

Timeline

PublishedFeb 6

Latest updateMay 13

Description

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_script_security_plugin1.50 and earlier

▶NVDjenkins/script_security1.50

🔴Vulnerability Details

OSV

Sandbox Bypass in Script Security Plugin↗2022-05-13

▶

GHSA

Sandbox Bypass in Script Security Plugin↗2022-05-13

▶

CVEList

CVE-2019-1003005: A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1↗2019-02-06

▶

📋Vendor Advisories

Red Hat

jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin (SECURITY-1292)↗2019-01-29

▶

Jenkins

Jenkins Security Advisory 2019-01-28↗2019-01-28

▶

💬Community

Bugzilla

CVE-2019-1003005 jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin (SECURITY-1292)↗2019-01-29

▶

Bugzilla

CVE-2019-1003005 jenkins-script-security-plugin: jenkins-plugin-script-security: Sandbox Bypass in Script Security Plugin (SECURITY-1292) [fedora-all]↗2019-01-29

▶