CVE-2019-1003002 — Vulnetix

Try Vulnetix Request Demo

CVE-2019-1003002 PUBLISHED CVSS 8.800000190734863 HIGH

Reported by jenkins · Published January 22, 2019

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/parser/Converter.groovy that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.

Risk Scores

CVSS v3.1

8.800000190734863

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Products

Vendor	Product	Versions
Jenkins project	Pipeline: Declarative Plugin	1.3.3 and earlier
Maven	org.jenkinsci.plugins:pipeline-model-parent	0, 0, 0
Jenkins project	Pipeline: Declarative Plugin	1.3.3 and earlier, 1.3.3 and earlier, *
Maven	org.jenkinsci.plugins:pipeline-model-definition	0, 0, 0

Timeline

Jan 22, 2019 CVE Published
Apr 14, 2021 EPSS Score
Aug 23, 2021 EPSS Score
Sep 16, 2021 EPSS Score
Oct 24, 2021 EPSS Score
Feb 4, 2022 EPSS Score
Apr 28, 2022 EPSS Score
Jun 30, 2022 EPSS Score
Aug 31, 2022 EPSS Score
Dec 31, 2022 EPSS Score
Jan 1, 2023 EPSS Score
Jan 3, 2023 EPSS Score

References

x_refsource_CONFIRM
RHBA-2019:0326 vendor-advisoryx_refsource_REDHAT
x_refsource_MISC
x_refsource_MISC
46572 exploitx_refsource_EXPLOIT-DB
RHBA-2019:0327 vendor-advisoryx_refsource_REDHAT
https://nvd.nist.gov/vuln/detail/CVE-2019-1003002 advisory
https://github.com/jenkinsci/pipeline-model-definition-plugin/commit/083abd96e68fd89f556a0cd53db5f878dbf09b92 patch
https://github.com/advisories/GHSA-x6jx-cxg3-mggh advisory

Open in Interactive Console →