Security restrictions bypass in Pipeline: Groovy - CVE-2019-1003030
Published: March 7, 2019 / Updated: March 25, 2022
Vulnerability identifier: #VU17913
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:A/U:Green
CVE-ID: CVE-2019-1003030
CWE-ID: CWE-264
Exploitation vector: Remote access
Exploit availability:
The vulnerability is being exploited in the wild
Vendor: Jenkins
Affected software:
Pipeline: Groovy
Pipeline: Groovy
Detailed vulnerability description
The vulnerability allows a remote attacker to execute arbitrary code on the vulnerable server.
The vulnerability exists in "pom.xml" and "src/mai/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java" due to an error when parsing, compiling or instantiating a Groovy script. A remote attacker with the ability to control the contents of a pipeline can supply a specially crafted Groovy script, bypass the sandbox protection and execute arbitrary code on the Jenkins master.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected server.
How to mitigate CVE-2019-1003030
Install update from vendor's website.