Login Sign Up

CVE-2019-1003034

9.9 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows attackers with control over Jenkins Job DSL definitions to bypass sandbox restrictions and execute arbitrary code on the Jenkins master JVM. It affects Jenkins Job DSL Plugin versions 1.71 and earlier. Attackers need Job DSL definition control, typically requiring some level of Jenkins access.

💻 Affected Systems

Products:
  • Jenkins Job DSL Plugin
Versions: 1.71 and earlier
Operating Systems: All platforms running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: Requires attacker control over Job DSL definitions, which typically requires some level of Jenkins access (Job configuration permissions).

📦 What is this software?

Job Dsl by Jenkins

View all CVEs affecting Job Dsl →

Openshift Container Platform by Redhat

View all CVEs affecting Openshift Container Platform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins master with full control over the JVM, allowing installation of malware, data theft, lateral movement, and persistent backdoors.

🟠

Likely Case

Attackers with Job DSL editing privileges gain full administrative control over Jenkins, potentially compromising build pipelines and sensitive credentials.

🟢

If Mitigated

With proper access controls limiting Job DSL editing to trusted users only, impact is limited to authorized administrators.

🌐 Internet-Facing: HIGH if Jenkins is internet-facing and attackers can authenticate or find credential leaks.
🏢 Internal Only: HIGH for internal Jenkins instances as attackers with internal access can exploit this to gain full control.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires Job DSL definition editing privileges. Public exploit details exist in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.72

Vendor Advisory: https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1342

Restart Required: Yes

Instructions:

1. Update Jenkins Job DSL Plugin to version 1.72 or later via Jenkins Plugin Manager. 2. Restart Jenkins after plugin update.

🔧 Temporary Workarounds

Restrict Job DSL Permissions

all

Limit who can create or modify Job DSL definitions to only trusted administrators.

Configure Jenkins Role-Based Strategy or Matrix Authorization to restrict Job/Configure permissions for Job DSL jobs

🧯 If You Can't Patch

  • Immediately restrict Job DSL editing permissions to only essential administrators
  • Monitor Jenkins logs for suspicious Job DSL definition changes or execution patterns

🔍 How to Verify

Check if Vulnerable:

Check Jenkins Plugin Manager for Job DSL Plugin version. If version is 1.71 or earlier, system is vulnerable.

Check Version:

In Jenkins web UI: Manage Jenkins > Plugin Manager > Installed plugins, find 'Job DSL Plugin'

Verify Fix Applied:

Verify Job DSL Plugin version is 1.72 or later in Jenkins Plugin Manager.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Job DSL script executions
  • Job configuration changes from unexpected users
  • Sandbox violation warnings in Jenkins logs

Network Indicators:

  • Unusual outbound connections from Jenkins master

SIEM Query:

source="jenkins.log" AND ("Job DSL" OR "sandbox" OR "AbstractDslScriptLoader") AND ("error" OR "exception" OR "violation")

📊 Metadata

CVE ID: CVE-2019-1003034
CVSS v3 Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Published: March 8, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON