8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-1003001

CVE-2019-1003001: Jenkins Groovy Plugin sandbox bypass vulnerability

Jenkins Script Security sandbox protection could be circumvented during the script compilation phase by applying AST transforming annotations such as @Grab to source code elements.

Both the pipeline validation REST APIs and actual script/pipeline execution are affected.

This allowed users with Overall/Read permission, or able to control Jenkinsfile or sandboxed Pipeline shared library contents in SCM, to bypass the sandbox protection and execute arbitrary code on the Jenkins controller.

All known unsafe AST transformations in Groovy are now prohibited in sandboxed scripts.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2019-1003001

CVE-2019-1003001:

8.8

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins.workflow:workflow-cps-parent	maven	<= 2.61	2.61.1
org.jenkins-ci.plugins:pipeline-model-definition	maven	<= 1.3.4	1.3.4.1
org.jenkins-ci.plugins:script-security	maven	<= 1.49	1.50

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from Jenkins' failure to restrict AST transformations during script compilation in sandboxed environments. Key evidence includes:

The script-security plugin commit shows added AST transform rejection logic
The workflow-cps-plugin commit demonstrates insecure script validation in doCheckScriptCompile without sandbox enforcement
Pipeline plugin commits show they executed AST transforms during validation phases These functions handled Groovy script compilation/validation but lacked proper sandboxing of AST transforms pre-patch, allowing annotations like @Grab to trigger remote code execution during compilation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.8

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2019-1003001: Jenkins Groovy Plugin sandbox bypass vulnerability

CVE-2019-1003001:

8.8

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2019-1003001: Jenkins Groovy Plugin sandbox bypass vulnerability

Technical Details

8.8

8.8

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI