CVE-2019-1003034Protection Mechanism Failure in Jenkins JOB DSL

CWE-693Protection Mechanism FailureCWE-20Improper Input Validation7 documents7 sources
Severity
9.9CRITICALNVD
EPSS
1.8%
top 17.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Jenkins JOB DSLJenkins Project Jenkins JOB DSL PluginRedhat Openshift Container Platform
Timeline
PublishedMar 8
Latest updateMay 13

Description

A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_job_dsl_plugin1.71 and earlier
NVDjenkins/job_dsl1.71

Also affects: Openshift Container Platform 3.11

🔴Vulnerability Details

3
GHSA
Script security sandbox bypass in Jenkins Job DSL Plugin2022-05-13
OSV
Script security sandbox bypass in Jenkins Job DSL Plugin2022-05-13
CVEList
CVE-2019-1003034: A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 12019-03-08

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2019-03-062019-03-06
Red Hat
jenkins-job-dsl-plugin: Script security sandbox bypass in Job DSL Plugin (SECURITY-1342)2019-03-06

💬Community

1
Bugzilla
CVE-2019-1003034 jenkins-job-dsl-plugin: Script security sandbox bypass in Job DSL Plugin (SECURITY-1342)2019-03-20
CVE-2019-1003034 — Protection Mechanism Failure | cvebase