⚠ Actively exploited

Added to CISA KEV on 2022-04-25. Federal agencies required to patch by 2022-05-16. Required action: Apply updates per vendor instructions..

CVE-2019-1003029

CWE-693 CWE-9610 documents9 sources

Severity

9.9CRITICAL

EPSS

92.6%

top 0.25%

CISA KEV

KEV

Added 2022-04-25

Due 2022-05-16

Exploit

Exploited in wild

Active exploitation observed

Affected products

Jenkins Script Security Jenkins Project Jenkins Script Security Plugin Redhat Openshift Container Platform

Timeline

PublishedMar 8

KEV addedApr 25

Latest updateMay 13

KEV dueMay 16

CISA Required Action: Apply updates per vendor instructions.

Description

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:script-security< 1.54

▶CVEListV5jenkins_project/jenkins_script_security_plugin1.53 and earlier

▶NVDjenkins/script_security1.53

Also affects: Openshift Container Platform 3.11

🔴Vulnerability Details

GHSA

Sandbox bypass in Script Security Plugin↗2022-05-13

▶

OSV

Sandbox bypass in Script Security Plugin↗2022-05-13

▶

CVEList

CVE-2019-1003029: A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1↗2019-03-08

▶

VulnCheck

Jenkins Script Security Plugin Sandbox Bypass Vulnerability↗2019

▶

📋Vendor Advisories

CISA

Jenkins Script Security Plugin Sandbox Bypass Vulnerability↗2022-04-25

▶

Jenkins

Jenkins Security Advisory 2019-03-06↗2019-03-06

▶

Red Hat

jenkins-plugin-script-security: sandbox bypass in script security plugin↗2019-03-06

▶

💬Community

Bugzilla

CVE-2019-1003029 jenkins-script-security-plugin: jenkins-plugin-script-security: sandbox bypass in script security plugin [fedora-all]↗2019-03-18

▶

Bugzilla

CVE-2019-1003029 jenkins-plugin-script-security: sandbox bypass in script security plugin↗2019-03-18

▶