CVE-2019-1003041Unsafe Reflection in Jenkins Pipeline

CWE-470Unsafe ReflectionCWE-704Incorrect Type Conversion or Cast8 documents8 sources
Severity
9.8CRITICALNVD
EPSS
1.8%
top 17.18%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Jenkins PipelineJenkins Project Jenkins Pipeline Groovy PluginRedhat Openshift Container Platform
Timeline
PublishedMar 28
Latest updateNov 17

Description

A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

Also affects: Openshift Container Platform 3.11

🔴Vulnerability Details

3
OSV
Sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin2022-05-13
GHSA
Sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin2022-05-13
CVEList
CVE-2019-1003041: A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 22019-03-28

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2019-03-252019-03-25
Red Hat
jenkins-plugin-workflow-cps: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)2019-03-25

📄Research Papers

1
arXiv
Identifying Vulnerable Third-Party Java Libraries from Textual Descriptions of Vulnerabilities and Libraries2023-11-17

💬Community

1
Bugzilla
CVE-2019-1003041 jenkins-plugin-workflow-cps: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)2019-04-01
CVE-2019-1003041 — Unsafe Reflection in Jenkins | cvebase