cbcvebase.
CVE-2019-1003029
published 2019-03-08

CVE-2019-1003029: A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/Gr…

critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-05-16
Exploited in the wild
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.

Affected

20 ranges
VendorProductVersion rangeFixed in
jenkinsappdynamics_dashboard_plugin
jenkinsazure_vm_agents_plugin
jenkinsazure_vm_in_azure_vm_agents_plugin
jenkinsbitbar_run-in-cloud_plugin
jenkinscredentials_plugin
jenkinsdeploy_plugin
jenkinsemail_extension_plugin
jenkinsgroovy_plugin
jenkinsids_in_azure_vm_agents_plugin
jenkinsids_to_allow_administrators_configuring_the_plugin
jenkinsjob_dsl_plugin
jenkinsmatrix_project_plugin
jenkinsrabbit-mq_publisher_plugin
jenkinsrabbitmq_in_rabbit-mq_publisher_plugin
jenkinsrepository_connector_plugin
jenkinsscript_security<= 1.53
jenkinsscript_security_plugin
jenkinsthis_allowed_users_able_to_control_the_plugin
jenkins_projectjenkins_script_security_plugin
redhatopenshift_container_platform

CVSS provenance

nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck9.9CRITICAL
cisa9.9CRITICAL