Miggo Logo
Miggo Vulnerability Database
CVE-2019-1003024

CVE-2019-1003024: Jenkins Script Security Plugin sandbox bypass vulnerability

8.8

CVSS Score
3.0

Basic Information

CVE ID
CVE-2019-1003024
GHSA ID
GHSA-jgpm-2862-q5m8
EPSS Score
0.54501%
CWE
-
Published
5/13/2022
Updated
12/20/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:script-securitymaven<= 1.521.53

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient annotation validation in Groovy script compilation. The commit shows:

  1. visitAnnotations() was vulnerable because it only matched simple names (like 'Grab') but not FQCNs (like 'groovy.lang.Grab')
  2. visitImports() was missing entirely in vulnerable versions, allowing prohibited annotations to be imported via aliases or FQCN imports
  3. The BLOCKED_TRANSFORMS list was incomplete, missing related annotations like AnnotationCollector These functions are directly responsible for enforcing annotation restrictions during script compilation, and their incomplete implementations enabled the documented bypass vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** pr*viously impl*m*nt** s*ript s**urity s*n**ox prot**tions pro*i*itin* t** us* o* uns*** *ST tr*ns*ormin* *nnot*tions su** *s `@*r**` ([****-**-** *ix *or S**URITY-****](*ttps://www.j*nkins.io/s**urity/**visory/****-**-**/#S**URITY-****)) *oul* *

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt *nnot*tion v*li**tion in *roovy s*ript *ompil*tion. T** *ommit s*ows: *. visit*nnot*tions() w*s vuln*r**l* ****us* it only m*t**** simpl* n*m*s (lik* '*r**') *ut not *Q*Ns (lik* '*roovy.l*n*.*r**') *. visitIm