CVE-2019-1003030
published 2019-03-08CVE-2019-1003030: A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml…
critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.
Affected
20 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | appdynamics_dashboard_plugin | — | — |
| jenkins | azure_vm_agents_plugin | — | — |
| jenkins | azure_vm_in_azure_vm_agents_plugin | — | — |
| jenkins | bitbar_run-in-cloud_plugin | — | — |
| jenkins | credentials_plugin | — | — |
| jenkins | deploy_plugin | — | — |
| jenkins | email_extension_plugin | — | — |
| jenkins | groovy_plugin | — | — |
| jenkins | ids_in_azure_vm_agents_plugin | — | — |
| jenkins | ids_to_allow_administrators_configuring_the_plugin | — | — |
| jenkins | job_dsl_plugin | — | — |
| jenkins | matrix_project_plugin | — | — |
| jenkins | pipeline | <= 2.63 | — |
| jenkins | rabbit-mq_publisher_plugin | — | — |
| jenkins | rabbitmq_in_rabbit-mq_publisher_plugin | — | — |
| jenkins | repository_connector_plugin | — | — |
| jenkins | script_security_plugin | — | — |
| jenkins | this_allowed_users_able_to_control_the_plugin | — | — |
| jenkins_project | jenkins_pipeline_groovy_plugin | — | — |
| redhat | openshift_container_platform | — | — |
CVSS provenance
nvdv3.19.9CRITICALCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
vulncheck9.9CRITICAL
cisa9.9CRITICAL