8.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-10390

GHSA ID

GHSA-cjr8-5rw4-wh65

EPSS Score

0.16181%

CWE

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10390

CVE-2019-10390: Jenkins Splunk Plugin Sandbox Bypass

Jenkins Splunk Plugin has a form validation HTTP endpoint used to validate a user-submitted Groovy script through compilation, which was not subject to sandbox protection. This allowed attackers with Overall/Read access to execute arbitrary code on the Jenkins controller by applying AST transforming annotations such as @Grab to source code elements.

The affected HTTP endpoint now applies a safe Groovy compiler configuration preventing the use of unsafe AST transforming annotations.

(GitHub Advisory)

8.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2019-10390

GHSA ID

GHSA-cjr8-5rw4-wh65

EPSS Score

0.16181%

CWE

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.splunk.splunkins:splunk-devops	maven	< 1.8.0	1.8.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from unsandboxed Groovy compilation in form validation endpoints. The commit diff shows the original validate() used GroovyShell directly (vulnerable), while the patched version uses GroovySandbox and ScriptApproval. The doCheckScriptContent method exposed this validation to HTTP endpoints without proper security checks (added RequirePOST and ADMINISTER permission checks in patch). Together these functions formed the attack surface for the sandbox bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Splunk Plu*in **s * *orm v*li**tion *TTP *n*point us** to v*li**t* * us*r-su*mitt** *roovy s*ript t*rou** *ompil*tion, w*i** w*s not su*j**t to s*n**ox prot**tion. T*is *llow** *tt**k*rs wit* Ov*r*ll/R*** ****ss to *x**ut* *r*itr*ry *o** on t

Reasoning

T** vuln*r**ility st*mm** *rom uns*n**ox** *roovy *ompil*tion in *orm v*li**tion *n*points. T** *ommit *i** s*ows t** ori*in*l `v*li**t*()` us** *roovyS**ll *ir**tly (vuln*r**l*), w*il* t** p*t**** v*rsion us*s *roovyS*n**ox *n* S*ript*pprov*l. T** `

8.8

Basic Information

Concerned about an active attack path?

CVE-2019-10390: Jenkins Splunk Plugin Sandbox Bypass

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI