Miggo Logo
Miggo Vulnerability Database
CVE-2019-1003041

CVE-2019-1003041: Sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin

9.8

CVSS Score
3.1

Basic Information

CVE ID
CVE-2019-1003041
GHSA ID
GHSA-x74x-qf5j-35jh
EPSS Score
0.83878%
CWE
CWE-470
Published
5/13/2022
Updated
12/18/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins.workflow:workflow-cpsmaven< 2.652.65

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient sandbox validation during type coercion operations. The pre-patch version of CpsWhitelist.java's permitsStaticMethod explicitly allowed ScriptBytecodeAdapter.asType() calls (used for Groovy type casting) without performing security checks. This let attackers bypass sandbox restrictions by using Groovy's casting syntax (e.g., 'X as Y' or 'Y x = [...]') to invoke dangerous constructors. The patch added Checker.preCheckedCast() validation to enforce security restrictions during these operations, confirming this was the vulnerable code path.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s*n**ox *yp*ss vuln*r**ility in J*nkins Pip*lin*: *roovy Plu*in *.** *n* **rli*r *llows *tt**k*rs to invok* *r*itr*ry *onstru*tors in s*n**ox** s*ripts.

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt s*n**ox `v*li**tion` *urin* typ* *o*r*ion op*r*tions. T** pr*-p*t** v*rsion o* `*psW*it*list.j*v*`'s `p*rmitsSt*ti*M*t*o*` *xpli*itly *llow** `S*ript*yt**o*****pt*r.*sTyp*()` **lls (us** *or *roovy typ* **sti