CVE-2019-1003029
CVE-2019-1003029
In short
Jenkins Script Security Plugin has a flaw that lets users with basic read access escape the sandbox and run any code on the Jenkins server. This is dangerous because it gives attackers full control over the Jenkins system.
Technical detail
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.53 and earlier allows attackers with Overall/Read permissions to execute arbitrary code on the Jenkins master JVM through improper sandboxing of Groovy script execution. The vulnerability exists in the GroovySandbox and SecureGroovyScript classes, enabling code execution with Jenkins master privileges.
Summary generated and translated by AI from the official description.
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
Jenkins project · Jenkins Script Security Pluginpublic PoCs found — 1
cve_referencepacketstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.htmlunverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.htmlhttps://access.redhat.com/errata/RHSA-2019:0739https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20%281%29https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1003029http://www.securityfocus.com/bid/107476