CVE-2019-1003030 : A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 an

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.

Published 2019-03-08 21:29:00

Updated 2025-02-20 18:04:30

Source Jenkins Project

View at NVD, CVE.org

Vulnerability category: Execute code

Products affected by CVE-2019-1003030

Redhat » Openshift Container Platform » Version: 3.11
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
Matching versions
Jenkins » Pipeline: Groovy » For Jenkins
Versions up to, including, (<=) 2.63
cpe:2.3:a:jenkins:pipeline\:_groovy:*:*:*:*:*:jenkins:*:*
Matching versions

CVE-2019-1003030 is in the CISA Known Exploited Vulnerabilities Catalog

CISA vulnerability name:

Jenkins Matrix Project Plugin Remote Code Execution Vulnerability

CISA required action:

Apply updates per vendor instructions.

CISA description:

Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution.

Notes:

https://nvd.nist.gov/vuln/detail/CVE-2019-1003030

Added on 2022-03-25 Action due date 2022-04-15

Exploit prediction scoring system (EPSS) score for CVE-2019-1003030

EPSS FAQ

92.83%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 100 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2019-1003030

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
6.5	MEDIUM	AV:N/AC:L/Au:S/C:P/I:P/A:P	8.0	6.4	NIST
Access Vector: Network Access Complexity: Low Authentication: Single Confidentiality Impact: Partial Integrity Impact: Partial Availability Impact: Partial
9.9	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	3.1	6.0	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-02-07
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High
9.9	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H	3.1	6.0	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2019-1003030

CWE-693 Protection Mechanism Failure

The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- jenkinsci-cert@googlegroups.com (Primary)

References for CVE-2019-1003030

http://www.securityfocus.com/bid/107476

Multiple Jenkins Plugins Multiple Security Vulnerabilities
Broken Link;Third Party Advisory;VDB Entry

CVEs referencing this url
https://access.redhat.com/errata/RHSA-2019:0739

RHSA-2019:0739 - Security Advisory - Red Hat Customer Portal
Third Party Advisory

CVEs referencing this url
http://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html

Jenkins 2.63 Sandbox Bypass ≈ Packet Storm
Exploit;Third Party Advisory;VDB Entry
https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20%282%29

Jenkins Security Advisory 2019-03-06
Third Party Advisory
https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20(2)

Jenkins Security Advisory 2019-03-06
Vendor Advisory