CVE-2019-1003040
📋 TL;DR
This vulnerability in Jenkins Script Security Plugin allows attackers to bypass sandbox restrictions and execute arbitrary code by invoking constructors in sandboxed scripts. It affects Jenkins instances using Script Security Plugin 1.55 or earlier. Attackers with permission to create/edit jobs or pipelines can exploit this to gain full control of the Jenkins server.
💻 Affected Systems
- Jenkins Script Security Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of Jenkins server leading to remote code execution, data theft, lateral movement to connected systems, and persistent backdoor installation.
Likely Case
Attackers with job creation/edit permissions achieve remote code execution, potentially compromising build pipelines, stealing credentials, and accessing sensitive data.
If Mitigated
With strict access controls and network segmentation, impact limited to isolated Jenkins environment with no critical system access.
🎯 Exploit Status
Exploitation requires authenticated access with appropriate permissions. Public exploit details available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Script Security Plugin 1.56 or later
Vendor Advisory: https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353
Restart Required: Yes
Instructions:
1. Update Jenkins to latest version
2. Update Script Security Plugin to 1.56+ via Plugin Manager
3. Restart Jenkins service
4. Verify plugin version in Manage Jenkins > Plugin Manager
🔧 Temporary Workarounds
Disable Script Security Plugin
allTemporarily disable vulnerable plugin if immediate patching not possible
mv $JENKINS_HOME/plugins/script-security.hpi $JENKINS_HOME/plugins/script-security.hpi.disabled
Restart Jenkins
Restrict Script Permissions
allTighten Groovy sandbox permissions to limit script capabilities
Configure script approvals in Manage Jenkins > In-process Script Approval
🧯 If You Can't Patch
- Restrict user permissions to prevent job/pipeline creation/edit
- Isolate Jenkins server network segment and implement strict firewall rules
🔍 How to Verify
Check if Vulnerable:
Check Script Security Plugin version in Manage Jenkins > Plugin Manager. If version is 1.55 or earlier, system is vulnerable.Check Version:
Check $JENKINS_HOME/plugins/script-security/META-INF/MANIFEST.MF for Implementation-Version or use Jenkins web interfaceVerify Fix Applied:
Verify Script Security Plugin version is 1.56 or later in Plugin Manager and test sandboxed script functionality.📡 Detection & Monitoring
Log Indicators:
- Unusual Groovy script execution patterns
- Failed sandbox approval requests
- Unexpected constructor invocations in scripts
Network Indicators:
- Unusual outbound connections from Jenkins server
- Suspicious payloads in Jenkins API requests
SIEM Query:
source="jenkins.log" AND ("sandbox" OR "script-security" OR "Groovy") AND ("bypass" OR "constructor" OR "unauthorized")🔗 References
- http://www.openwall.com/lists/oss-security/2019/03/28/2
- http://www.securityfocus.com/bid/107628
- https://access.redhat.com/errata/RHSA-2019:1423
- https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353
- http://www.openwall.com/lists/oss-security/2019/03/28/2
- http://www.securityfocus.com/bid/107628
- https://access.redhat.com/errata/RHSA-2019:1423
- https://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353
