⚠ Actively exploited
Added to CISA KEV on 2022-03-25. Federal agencies required to patch by 2022-04-15. Required action: Apply updates per vendor instructions..
CVE-2019-1003030 — Protection Mechanism Failure in Jenkins Pipeline
Severity
9.9CRITICALNVD
EPSS
92.9%
top 0.23%
CISA KEV
KEV
Added 2022-03-25
Due 2022-04-15
Exploit
Exploited in wild
Active exploitation observed
Affected products
Timeline
PublishedMar 8
KEV addedMar 25
KEV dueApr 15
Latest updateMay 13
CISA Required Action: Apply updates per vendor instructions.
Description
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0
Affected Packages2 packages
Also affects: Openshift Container Platform 3.11
🔴Vulnerability Details
4CVEList▶
CVE-2019-1003030: A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2↗2019-03-08
💥Exploits & PoCs
1📋Vendor Advisories
3💬Community
1Bugzilla▶
CVE-2019-1003030 jenkins-plugin-workflow-cps: Sandbox bypass in Pipeline: Groovy Plugin (SECURITY-1336(2))↗2019-03-20