CVE-2019-1003041
jenkins-plugin-workflow-cps: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.
Una vulnerabilidad de omisiĆ³n de sandbox en Jenkins Pipeline: el plugin "groovy", en sus versiones 2.64 y anteriores, permite a los atacantes invocar constructores arbitrarios en los scripts en "sandbox".
A flaw was found in the Jenkins Workflow CPS plugin. Groovy Plugins could be circumvented through methods supporting type casts and type coercion allowing attackers to invoke constructors for arbitrary types. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. Jenkins is a continuous integration server that monitors executions of repeated jobs, such as building a software project or jobs run by cron. Issues addressed include bypass and cross site scripting vulnerabilities.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-03-28 CVE Reserved
- 2019-03-28 CVE Published
- 2024-08-05 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
- CWE-704: Incorrect Type Conversion or Cast
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2019/03/28/2 | Mailing List |
|
| http://www.securityfocus.com/bid/107628 | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2019:1423 | 2023-10-25 | |
| https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353 | 2023-10-25 | |
| https://access.redhat.com/security/cve/CVE-2019-1003041 | 2019-06-10 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1694536 | 2019-06-10 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Jenkins Search vendor "Jenkins" | Pipeline: Groovy Search vendor "Jenkins" for product "Pipeline: Groovy" | <= 2.64 Search vendor "Jenkins" for product "Pipeline: Groovy" and version " <= 2.64" | jenkins |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 3.11 Search vendor "Redhat" for product "Openshift Container Platform" and version "3.11" | - |
Affected
| ||||||