CVE-2019-1003000

high-risk

Published 2019-01-22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master JVM.

Do I need to act?

94.4% chance of exploitation in next 30 days

EPSS score — higher than 6% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

3 public exploits available

46572, 46453, 46427

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 8.8/10 High

NETWORK / LOW complexity

Affected Products (2)

Script Security

Openshift Container Platform

Affected Vendors

Redhat Jenkins

References (14)

Exploit http://packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-R...

Third Party Advisory http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming

Third Party Advisory https://access.redhat.com/errata/RHBA-2019:0326

Third Party Advisory https://access.redhat.com/errata/RHBA-2019:0327

Vendor Advisory https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266

Exploit https://www.exploit-db.com/exploits/46453/

Exploit https://www.exploit-db.com/exploits/46572/

Exploit http://packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-R...

Third Party Advisory http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming

Third Party Advisory https://access.redhat.com/errata/RHBA-2019:0326

Third Party Advisory https://access.redhat.com/errata/RHBA-2019:0327

Vendor Advisory https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266

Exploit https://www.exploit-db.com/exploits/46453/

Exploit https://www.exploit-db.com/exploits/46572/

/ 100

high-risk

Severity 30/34 · Critical

Exploitability 27/34 · High

Exposure 7/34 · Low