CVE-2019-1003030
CVE-2019-1003030
In short
Jenkins Pipeline plugin had a sandbox protection that could be bypassed by attackers who control pipeline scripts, allowing them to run arbitrary code on the Jenkins server. This is critical because Jenkins servers often have access to sensitive systems and credentials.
Technical detail
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin ≤2.63 allows attackers with pipeline script control to execute arbitrary code on the Jenkins master JVM by circumventing the Groovy sandbox restrictions. The vulnerability is exploitable when an attacker can influence pipeline definitions, potentially leading to complete compromise of the Jenkins instance and connected systems.
Summary generated and translated by AI from the official description.
A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Affected products
Jenkins project · Jenkins Pipeline: Groovy Pluginpublic PoCs found — 3
githubgithub.com/overgrowncarrot1/CVE-2019-1003030★ 1cve_referencepacketstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.htmlunverifiedexploitdbwww.exploit-db.com/exploits/48904unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
http://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.htmlhttps://access.redhat.com/errata/RHSA-2019:0739https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20%282%29https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1003030http://www.securityfocus.com/bid/107476