CVE-2019-1003002
CVE-2019-1003002
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/parser/Converter.groovy that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
Affected products
Jenkins project · Pipeline: Declarative Pluginpublic PoCs found — 4
cve_referencepacketstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.htmlunverifiedcve_referencewww.exploit-db.com/exploits/46572/unverifiedexploitdbwww.exploit-db.com/exploits/46572unverifiedexploitdbwww.exploit-db.com/exploits/46427unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.htmlhttps://access.redhat.com/errata/RHBA-2019:0326https://access.redhat.com/errata/RHBA-2019:0327https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266https://www.exploit-db.com/exploits/46572/http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming