Vulnerability Description
A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/JobDslWhitelist.groovy, job-dsl-plugin/src/main/groovy/javaposse/jobdsl/plugin/SandboxDslScriptLoader.groovy that allows attackers with control over Job DSL definitions to execute arbitrary code on the Jenkins master JVM.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Job Dsl | <= 1.71 |
| Redhat | Openshift Container Platform | 3.11 |
References
- http://www.securityfocus.com/bid/107476Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2019:0739Third Party Advisory
- https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1342Vendor Advisory
- http://www.securityfocus.com/bid/107476Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2019:0739Third Party Advisory
- https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1342Vendor Advisory
FAQ
What is CVE-2019-1003034?
CVE-2019-1003034 is a vulnerability with a CVSS score of 9.9 (CRITICAL). A sandbox bypass vulnerability exists in Jenkins Job DSL Plugin 1.71 and earlier in job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/AbstractDslScriptLoader.groovy, job-dsl-plugin/build.gradle, job-d...
How severe is CVE-2019-1003034?
CVE-2019-1003034 has been rated CRITICAL with a CVSS base score of 9.9/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2019-1003034?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Job Dsl, Redhat Openshift Container Platform.