cbcvebase.
CVE-2019-1003034
published 2019-03-08

CVE-2019-1003034: A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.gr…

critical9.9CVSS 3.1
AVNACLPRLUINSCCHIHAH
A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM.

Affected

20 ranges
VendorProductVersion rangeFixed in
jenkinsappdynamics_dashboard_plugin
jenkinsazure_vm_agents_plugin
jenkinsazure_vm_in_azure_vm_agents_plugin
jenkinsbitbar_run-in-cloud_plugin
jenkinscredentials_plugin
jenkinsdeploy_plugin
jenkinsemail_extension_plugin
jenkinsgroovy_plugin
jenkinsids_in_azure_vm_agents_plugin
jenkinsids_to_allow_administrators_configuring_the_plugin
jenkinsjob_dsl<= 1.71
jenkinsjob_dsl_plugin
jenkinsmatrix_project_plugin
jenkinsrabbit-mq_publisher_plugin
jenkinsrabbitmq_in_rabbit-mq_publisher_plugin
jenkinsrepository_connector_plugin
jenkinsscript_security_plugin
jenkinsthis_allowed_users_able_to_control_the_plugin
jenkins_projectjenkins_job_dsl_plugin
redhatopenshift_container_platform