CVE-2019-1003006

UNKNOWN

Published 2019-02-06T16:00:00Z

Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2019-1003006. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Jenkins project

Jenkins Groovy Plugin

Affected Versions:

2.0 and earlier

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Jenkins Groovy Plugin sandbox bypass vulnerability

GHSA-xfwj-2f34-32f5

Advisory Details

A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.0 and earlier in `src/main/java/hudson/plugins/groovy/StringScriptSource.java` that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM. In version 2.1, the affected HTTP endpoint applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations.

Affected Packages

Maven org.jenkins-ci.plugins:groovy

ECOSYSTEM: ≥0 <2.1

CVSS Scoring

CVSS Score

7.5

CVSS Vector


                                    CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-1003006

WEB https://github.com/jenkinsci/groovy-plugin/commit/212e048a319ae32dad4cfec5e73a885a9f4781f0

WEB https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1293

Advisory provided by GitHub Security Advisory Database. Published: May 13, 2022, Modified: December 6, 2022

References

https://jenkins.io/security/advisory/2019-01-28/#SECURITY-1293

Published: 2019-02-06T16:00:00Z

Last Modified: 2024-09-16T20:21:57.957Z

Copied to clipboard!

CVE-2019-1003006

Expert Analysis

Description

Available Exploits

Related News

Affected Products

Jenkins Groovy Plugin

Affected Versions:

GitHub Security Advisories

Jenkins Groovy Plugin sandbox bypass vulnerability

Advisory Details

Affected Packages

CVSS Scoring

CVSS Score

CVSS Vector

References

References

Request Analysis

What to expect

Request Received!