CVE-2019-1003024: A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with…

high8.8CVSS 3.1

AVNACLPRLUINSUCHIHAH

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

Affected

15 ranges

Vendor	Product	Version range	Fixed in
jenkins	acunetix_plugin	—	—
jenkins	arxan_mam_publisher_plugin	—	—
jenkins	cloud_foundry_plugin	—	—
jenkins	cloudbees_cd_plugin	—	—
jenkins	credentials_plugin	—	—
jenkins	digital.ai_app_management_publisher_plugin	—	—
jenkins	electricflow_plugin	—	—
jenkins	jms_messaging_plugin	—	—
jenkins	mattermost_notification_plugin	—	—
jenkins	octopus_deploy_plugin	—	—
jenkins	octopusdeploy_plugin	—	—
jenkins	script_security	<= 1.52	—
jenkins	script_security_plugin	—	—
jenkins_project	jenkins_script_security_plugin	—	—
redhat	openshift_container_platform	—	—