Cyber Resilience

CVE-2019-1003030

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 08 March 2019

Published
08 March 2019
Modified
24 October 2025
KEV Added
25 March 2022
Patch
CVSS Score v3.1 9.9 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.9182 99.7th percentile
Risk Priority 95 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-1003030 is a critical-severity Protection Mechanism Failure (CWE-693) vulnerability in Jenkins Pipeline\. Its CVSS base score is 9.9 (Critical).

Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

A sandbox bypass vulnerability exists in the Jenkins Pipeline: Groovy Plugin versions 2.63 and earlier, specifically within CpsGroovyShell.java. The flaw permits execution of arbitrary code on the Jenkins master JVM when an attacker can supply or modify pipeline scripts, as indicated by the affected files pom.xml and the associated source path. The issue carries a CVSS 3.1 score of 9.9 and is categorized under protection mechanism failure.

Attackers with the ability to control pipeline scripts, such as users granted pipeline authoring permissions, can exploit the bypass to run code outside the intended Groovy sandbox. This grants them full access to the Jenkins master process, enabling impacts across confidentiality, integrity, and availability on the controller.

The Jenkins security advisory for SECURITY-1336 and the associated Red Hat errata RHSA-2019:0739 address remediation steps, including updates that restrict script execution to prevent the sandbox escape. Public exploit code referencing Jenkins 2.63 has been published, confirming the issue's practical exploitability in unpatched environments.

EU & UK References

Vulnerability details

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.

CWE(s)
KEV Date Added
25 March 2022

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jenkins
pipeline\
_groovy
redhat
openshift container platform
3.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces the Groovy sandbox restrictions on pipeline scripts that the CVE bypasses, blocking arbitrary code execution on the master JVM.

prevent

Limits pipeline-authoring permissions to the minimum required, reducing the population of users able to supply exploitable scripts.

prevent

Requires prompt application of the vendor patch (SECURITY-1336) that closes the sandbox-escape flaw in CpsGroovyShell.

References