CVE-2019-1003034

Name of the Vulnerable Software and Affected Versions Jenkins Job DSL Plugin versions 1.71 and earlier

Description A sandbox bypass issue exists that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM. The vulnerability is related to errors in processing input data during code syntax analysis in components such as AbstractDslScriptLoader.groovy, JobDslWhitelist.groovy, and SandboxDslScriptLoader.groovy. This can enable a remote attacker to bypass the sandbox and execute arbitrary code.

Recommendations For Jenkins Job DSL Plugin versions 1.71 and earlier, consider disabling the AbstractDslScriptLoader.groovy, JobDslWhitelist.groovy, and SandboxDslScriptLoader.groovy components as a temporary workaround until a patch is available. Restrict access to the Jenkins master JVM to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.