Vulnerability in Jenkins Project Script Security Plugin
CVE-2019-1003000
A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to…
EPSS: 0.944 (100.0th percentile) — read the EPSS interpretation.
Affected products
- Jenkins Project Script Security Plugin — versions 1.49 and earlier
Public proof-of-concept exploits
- adamyordan/cve-2019-1003000-jenkins-rce-poc
- wetw0rk/Exploit-Development
- 1NTheKut/CVE-2019-1003000_RCE-DETECTION
- purple-WL/Jenkins_CVE-2019-1003000
- im23pds/CVE-2019-1003000-and-CVE-2018-1999002-Pre-Auth-RCE-Jenkins
- rapid7/metasploit-framework
- 20142995/sectool
- ARPSyndicate/cve-scores
- ARPSyndicate/cvemon
- BLACKHAT-SSG/Pwn_
References
- jenkins.io/security/advisory/2019-01-08/ (x_refsource_CONFIRM)
- 46453 (exploit, x_refsource_EXPLOIT-DB)
- RHBA-2019:0326 (vendor-advisory, x_refsource_REDHAT)
- packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-… (x_refsource_MISC)
- www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming (x_refsource_MISC)
- 46572 (exploit, x_refsource_EXPLOIT-DB)
- RHBA-2019:0327 (vendor-advisory, x_refsource_REDHAT)
Frequently asked questions
- What is CVE-2019-1003000?
- CVE-2019-1003000 is a vulnerability in Jenkins Project Script Security Plugin. Published 2019-01-22.
- Is CVE-2019-1003000 known to be exploited?
- 63 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.