Sandbox bypass in Script Security Plugin

GHSA-xvxq-hq48-xphm · CVE-2019-1003029

Published May 13, 2022 · Modified Oct 22, 2025

Description

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-1003029
WEB https://access.redhat.com/errata/RHSA-2019:0739
PACKAGE https://github.com/jenkinsci/script-security-plugin
WEB https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20%281%29
WEB https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20(1)
WEB https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1003029
WEB http://packetstormsecurity.com/files/166778/Jenkins-Remote-Code-Execution.html

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes