V
Scaner-VS
ENRU
HomeCatalogSourcesCWECAPECATT&CKMitigationsProductsVendorsDocs
Back to catalog
CVE-2019-1003005
CVE
High

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecur…

CVSS
8.8
High
EPSS
0.19
p96
Published
2019-01-01
Updated
2019-01-01
Description

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

Tags · CWE
CWE-96
CAPEC-35
CAPEC-73
CAPEC-77
CAPEC-81
CAPEC-85
Affected products
Script_security ≤ 1.50
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Timeline
2019-01-01
Published
2019-01-01
Updated
CVSS 3.1 breakdown
Attack Vector
AV: N
Network (N)
Attack Complexity
AC: L
Low (L)
Privileges Required
PR: L
Low (L)
User Interaction
UI: N
None (N)
Scope
S: U
Unchanged (U)
Confidentiality Impact
C: H
High (H)
Integrity Impact
I: H
High (H)
Availability Impact
A: H
High (H)
Exploit indicators
EPSS
0.190 · p96
Known exploited (KEV)
No
MITRE ATT&CK
Inferred via CAPEC
└ via CAPEC-35 · CWE-96
└ via CAPEC-35 · CWE-96
└ via CAPEC-35 · CWE-96
Known exploits — Сканер-ВС
No Сканер-ВС checks registered for this vulnerability yet.
Affected products
Red Hat
Jenkins-2-plugins
Jenkins
Script Security
ProductVendorStatus
jenkins-2-pluginsTracked
script_security*Tracked
Source databases
CVE
RED
Related vulnerabilities
BDU:2019-02068