CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0CVE-2019-1003040 – jenkins-plugin-script-security: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
https://notcve.org/view.php?id=CVE-2019-1003040
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. • http://www.openwall.com/lists/oss-security/2019/03/28/2 http://www.securityfocus.com/bid/107628 https://access.redhat.com/errata/RHSA-2019:1423 https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353 https://access.redhat.com/security/cve/CVE-2019-1003040 https://bugzilla.redhat.com/show_bug.cgi?id=1694532 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-704: Incorrect Type Conversion or Cast •
CVSS: 9.8EPSS: 1%CPEs: 2EXPL: 0CVE-2019-1003041 – jenkins-plugin-workflow-cps: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
https://notcve.org/view.php?id=CVE-2019-1003041
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts. • http://www.openwall.com/lists/oss-security/2019/03/28/2 http://www.securityfocus.com/bid/107628 https://access.redhat.com/errata/RHSA-2019:1423 https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353 https://access.redhat.com/security/cve/CVE-2019-1003041 https://bugzilla.redhat.com/show_bug.cgi?id=1694536 • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE-704: Incorrect Type Conversion or Cast •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2019-10063 – flatpak: Sandbox bypass via IOCSTI (incomplete fix for CVE-2017-5226)
https://notcve.org/view.php?id=CVE-2019-10063
Flatpak before 1.0.8, 1.1.x and 1.2.x before 1.2.4, and 1.3.x before 1.3.1 allows a sandbox bypass. ... A sandbox bypass flaw was found in the way bubblewrap, which is used for sandboxing flatpak applications handled the TIOCSTI ioctl. • https://access.redhat.com/errata/RHSA-2019:1024 https://access.redhat.com/errata/RHSA-2019:1143 https://github.com/flatpak/flatpak/issues/2782 https://access.redhat.com/security/cve/CVE-2019-10063 https://bugzilla.redhat.com/show_bug.cgi?id=1695973 • CWE-20: Improper Input Validation CWE-266: Incorrect Privilege Assignment •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1003033
https://notcve.org/view.php?id=CVE-2019-1003033
A sandbox bypass vulnerability exists in Jenkins Groovy Plugin 2.1 and earlier in pom.xml, src/main/java/hudson/plugins/groovy/StringScriptSource.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM. • http://www.securityfocus.com/bid/107476 https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1338 •
CVSS: 9.9EPSS: 0%CPEs: 1EXPL: 0CVE-2019-1003032
https://notcve.org/view.php?id=CVE-2019-1003032
A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM. • http://www.securityfocus.com/bid/107476 https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1340 •