CVE-2019-1003005

Name of the Vulnerable Software and Affected Versions Jenkins Script Security Plugin versions 1.50 and earlier

Description The issue is related to errors in handling Groovy scripts, which can be exploited by a remote attacker to bypass the sandbox and execute arbitrary code on the Jenkins master JVM. This can be achieved by providing a Groovy script to an HTTP endpoint, allowing for arbitrary code execution. The attacker needs Overall/Read permission to exploit this issue.

Recommendations For Jenkins Script Security Plugin versions 1.50 and earlier, update to a version later than 1.50 to resolve the issue. As a temporary workaround, consider restricting access to the SecureGroovyScript.java component to minimize the risk of exploitation. Avoid using the HTTP endpoint that allows Groovy script execution until the issue is resolved.