CVE-2019-10400: Sandbox bypass vulnerability in Jenkins Script Security Plugin
4.2
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.44774%
CWE
-
Published
5/24/2022
Updated
12/14/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:script-security | maven | <= 1.62 | 1.63 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability (CVE-2019-10400) stems from the groovy-sandbox library (version ≤1.22) used by the Jenkins Script Security Plugin. The plugin itself did not contain specific vulnerable functions in its codebase; instead, the issue arose from insufficient sandboxing logic in the dependency. The commit shows the plugin upgraded to groovy-sandbox 1.23 and added tests to block unsafe expressions (e.g., subexpressions in increment/decrement operations). The actual vulnerability resided in the library's handling of method/property names and subexpressions, not in the plugin's own functions. Thus, no plugin-specific functions are identified with high confidence.