CVE-2019-1003005

High

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in…

jenkins·NVD-CWE-Other·Published 2019-02-06

CVSS

8.8

EPSS

0.19

KEV

Exploits

Vendor statements (1)

access.redhat.com

cve.orgen

350 chars

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

OSV.deven

350 chars

GHSAen

350 chars

NVDes

402 chars

Existe una vulnerabilidad de omisión de sandbox en Jenkins Script Security Plugin, en versiones 1.50 y anteriores, en src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java, que permite que los atacantes con permisos Overall/Read proporcionen un script de Groovy a un endpoint HTTP que puede resultar en la ejecución de código arbitrario en el JVM maestro de Jenkins.

CVSS metrics across sources

Version	Type	Source	Base	Exp	Impact	Vector
2.0	Primary	NVD	6.5	8.0	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P
3.1	Primary	NVD	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
3.1	Secondary	GHSA	8.8	—	—	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H