PT-2019-2299 · Jenkins · Jenkins Script Security Plugin+1
Georgy Noseevich
+1
·
Published
2019-03-06
·
Updated
2025-10-24
·
CVE-2019-1003029
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Script Security Plugin versions 1.53 and earlier
Description
A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM. The issue is related to errors in handling input data during code syntax analysis in the GroovySandbox.java and SecureGroovyScript.java components. This vulnerability can be exploited by a remote attacker to escape the isolated software environment and execute arbitrary code.
Recommendations
For Jenkins Script Security Plugin versions 1.53 and earlier, update to a version later than 1.53 to resolve the issue.
As a temporary workaround, consider restricting access to the GroovySandbox.java and SecureGroovyScript.java components to minimize the risk of exploitation.
Exploit
Fix
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Jenkins
Jenkins Script Security Plugin