Home > Vulnerability Database > CVE-2019-1003001

Mend.io Vulnerability Database

CVE-2019-1003001

Good to know:

Date: January 22, 2019

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlowDefinition.java, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShellFactory.java that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

Language: Java

Severity Score

8.8

Related Resources (12)

Url: https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266

Url: https://www.exploit-db.com/exploits/46572/

Url: https://nvd.nist.gov/vuln/detail/CVE-2019-1003001

Url: https://github.com/jenkinsci/pipeline-model-definition-plugin/commit/6d7884dec610bf34503d24d494d994e9fc607642

Url: http://packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.html

Url: https://www.exploit-db.com/exploits/46572

Url: https://github.com/jenkinsci/workflow-cps-plugin/commit/66c3e7aafe7888d4e1fe9995a688bb3fb742d742

Url: https://access.redhat.com/errata/RHBA-2019:0326

Url: https://access.redhat.com/errata/RHBA-2019:0327

Url: http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming

Url: https://github.com/jenkinsci/script-security-plugin/commit/2c5122e50742dd16492f9424992deb21cc07837c

Url: https://www.mend.io/vulnerability-database/CVE-2019-1003001

Severity Score

8.8

Weakness Type (CWE)

Security Features

CWE-254

Top Fix

Upgrade Version

Upgrade to version org.jenkins-ci.plugins:script-security:1.50

Learn More

CVSS v3.1

Base Score:	8.8
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	NONE
Scope (S):	UNCHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.5
Access Vector (AV):	NETWORK
Access Complexity (AC):	LOW
Authentication (AU):	SINGLE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2019-1003001

Good to know:

Date: January 22, 2019

Language: Java

Severity Score

Related Resources (12)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?