CVE-2019-1003029

high-risk
Published 2019-03-08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.

Do I need to act?

!
92.6% chance of exploitation in next 30 days
EPSS score — higher than 7% of all CVEs
!
CISA KEV: actively exploited in the wild
On the Known Exploited Vulnerabilities catalog — federal agencies must patch
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.9/10 Critical
NETWORK / LOW complexity

Affected Products (2)

Affected Vendors

Redhat Jenkins

References (9)

Third Party Advisory http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html
Broken Link http://www.securityfocus.com/bid/107476
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:0739
Third Party Advisory https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20%281%29
Third Party Advisory http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html
Broken Link http://www.securityfocus.com/bid/107476
Third Party Advisory https://access.redhat.com/errata/RHSA-2019:0739
Third Party Advisory https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20%281%29
US Government Resource https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-...
67
/ 100
high-risk
Severity 33/34 · Critical
Exploitability 27/34 · High
Exposure 7/34 · Low