Miggo Logo

CVE-2019-10400: Sandbox bypass vulnerability in Jenkins Script Security Plugin

4.2

CVSS Score
3.1

Basic Information

EPSS Score
0.44774%
CWE
-
Published
5/24/2022
Updated
12/14/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:script-securitymaven<= 1.621.63

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability (CVE-2019-10400) stems from the groovy-sandbox library (version ≤1.22) used by the Jenkins Script Security Plugin. The plugin itself did not contain specific vulnerable functions in its codebase; instead, the issue arose from insufficient sandboxing logic in the dependency. The commit shows the plugin upgraded to groovy-sandbox 1.23 and added tests to block unsafe expressions (e.g., subexpressions in increment/decrement operations). The actual vulnerability resided in the library's handling of method/property names and subexpressions, not in the plugin's own functions. Thus, no plugin-specific functions are identified with high confidence.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s*n**ox *yp*ss vuln*r**ility in J*nkins S*ript S**urity Plu*in *.** *n* **rli*r r*l*t** to t** **n*lin* o* su**xpr*ssions in in*r*m*nt *n* ***r*m*nt *xpr*ssions not involvin* **tu*l *ssi*nm*nt *llow** *tt**k*rs to *x**ut* *r*itr*ry *o** in s*n**ox*

Reasoning

T** vuln*r**ility (*V*-****-*****) st*ms *rom t** *roovy-s*n**ox li*r*ry (v*rsion ≤*.**) us** *y t** J*nkins S*ript S**urity Plu*in. T** plu*in its*l* *i* not *ont*in sp**i*i* vuln*r**l* *un*tions in its *o****s*; inst***, t** issu* *ros* *rom insu**