Main Vulnerability Database Vulnerabilities #VU21570

#VU21570 Improper access control in Script Security - CVE-2019-1003000

Published: October 7, 2019 / Updated: June 17, 2021

Vulnerability identifier: #VU21570

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2019-1003000

CWE-ID: CWE-284

Exploitation vector: Remote access

Exploit availability: Public exploit is available

Vulnerable software:
Script Security

Software vendor:
Jenkins

Description

The vulnerability allows a remote attacker to bypass sandbox restrictions.

The vulnerability exists due to improper access restrictions in "src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java" when applying AST transforming annotations such as @Grab to source code elements. A remote authenticated attacker with Overall/Read permission, or able to control Jenkins file or sandboxed Pipeline shared library contents in SCM, can bypass the sandbox protection and execute arbitrary code on the Jenkins master.

Remediation

Install updates from vendor's website.

External links

https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266

#VU21570 Improper access control in Script Security - CVE-2019-1003000

Description

Remediation

External links

Please verify you're human