CVE-2019-1003024

Published: Feb 20, 2019Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

Affected (2)

Products: Jenkins: Script Security · Redhat: Openshift Container Platform

1 product

Script Security

1 product

Openshift Container Platform

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Script Security	Up to 1.52

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Openshift Container Platform	Version 3.11

References (6)

http://www.securityfocus.com/bid/107295

Source: jenkinsci-cert@googlegroups.com

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2019:0739

Source: jenkinsci-cert@googlegroups.com

Third Party Advisory

https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1320

Source: jenkinsci-cert@googlegroups.com

Vendor Advisory

http://www.securityfocus.com/bid/107295

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party AdvisoryVDB Entry

https://access.redhat.com/errata/RHSA-2019:0739

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://jenkins.io/security/advisory/2019-02-19/#SECURITY-1320

Source: af854a3a-2127-422b-91ae-364da2661108

Vendor Advisory

Timeline

No history available yet.