Cyber Resilience

CVE-2019-1003029

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 08 March 2019

Published
08 March 2019
Modified
24 October 2025
KEV Added
25 April 2022
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9265 99.8th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-1003029 is a critical-severity an unspecified weakness vulnerability in Jenkins Script Security. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 0.2% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

The vulnerability CVE-2019-1003029 is a sandbox bypass affecting the Jenkins Script Security Plugin in versions 1.53 and earlier. It resides in the GroovySandbox.java and SecureGroovyScript.java components and permits execution of code outside the intended Groovy sandbox on the Jenkins master JVM.

Attackers holding the Overall/Read permission can exploit the flaw over the network to run arbitrary code on the master with full impact to confidentiality, integrity, and availability. The vulnerability is rated 9.9 under CVSS 3.1 with an attack vector of network, low complexity, and no user interaction required.

Public references include the Jenkins security advisory for SECURITY-1336, Red Hat errata RHSA-2019:0739, and multiple exploit disclosures on Packet Storm and SecurityFocus that point to available updates for the plugin.

EU & UK References

Vulnerability details

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.

CWE(s)
KEV Date Added
25 April 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jenkins
script security
≤ 1.53
redhat
openshift container platform
3.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces the sandbox restrictions on Groovy script execution that the vulnerable GroovySandbox.java/SecureGroovyScript.java code fails to uphold, blocking arbitrary master JVM code execution even for Overall/Read users.

prevent

Limits the Overall/Read permission that is sufficient to trigger the sandbox bypass, reducing the population of accounts able to reach the flawed code path.

prevent

Requires prompt application of the Script Security Plugin update that closes the SECURITY-1336 sandbox bypass before exploitation can occur.

References