CVE-2019-1003001
CVE-2019-1003001
A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
Affected products
Jenkins project · Pipeline: Groovy Pluginpublic PoCs found — 4
cve_referencepacketstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.htmlunverifiedcve_referencewww.exploit-db.com/exploits/46572/unverifiedexploitdbwww.exploit-db.com/exploits/46572unverifiedexploitdbwww.exploit-db.com/exploits/46427unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.htmlhttps://access.redhat.com/errata/RHBA-2019:0326https://access.redhat.com/errata/RHBA-2019:0327https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266https://www.exploit-db.com/exploits/46572/http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming