CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2019-1003029

CVSS 9.9v3.1pub. 2019-03-08upd. 2025-10-24

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Jenkins Script Security

    APP
    Jenkins
    ≤ 1.53
  • Red Hat OpenShift Container Platform

    APP
    Redhat
    3.11

CISA KEV — detailsi

Vendori
Jenkins
Producti
Script Security Plugin
Added to KEVi
April 25, 2022
Remediation deadline (US Federal)i
May 16, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Jenkins Script Security Plugin contains a protection mechanism failure, allowing an attacker to bypass the sandbox.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 16 maja 2022
Tags
RCECI/CD
CWE
References

Related vulnerabilities

CVE-2019-7609CRITICAL10.0⚠ KEVten sam produkt

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. A...

CVE-2019-1003030CRITICAL9.9⚠ KEVten sam produkt

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main...

CVE-2018-1000861CRITICAL9.8⚠ KEVten sam produkt

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.13...

CVE-2026-4408CRITICAL9.0PL ✓ten sam produkt

Samba: RCE przez command injection w 'check password script' z podstawieniem %u

CVE-2026-4480CRITICAL9.0PL ✓ten sam produkt

Samba: command injection w podsystemie drukowania przez podstawienie %J