10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10431

GHSA ID

GHSA-72gx-qq2m-6xr2

EPSS Score

0.60346%

CWE

CWE-94

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10431

CVE-2019-10431: Improper Control of Generation of Code in Jenkins Script Security Plugin

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts.

(GitHub Advisory)

10

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10431

GHSA ID

GHSA-72gx-qq2m-6xr2

EPSS Score

0.60346%

CWE

CWE-94

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:script-security	maven	<= 1.64	1.65

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The commit diff shows added tests blocking 'x = Jenkins.getInstance()' in constructor parameters when calling super(), and the patch upgraded groovy-sandbox to handle these expressions. The vulnerability specifically involved improper handling of default parameter initializers in constructors with super calls, which would execute outside sandbox constraints. The test case demonstrates this bypass vector, and the CWE-94 classification confirms it's a code injection via uncontrolled code generation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* s*n**ox *yp*ss vuln*r**ility in J*nkins S*ript S**urity Plu*in *.** *n* **rli*r r*l*t** to t** **n*lin* o* ****ult p*r*m*t*r *xpr*ssions in *onstru*tors *llow** *tt**k*rs to *x**ut* *r*itr*ry *o** in s*n**ox** s*ripts.

Reasoning

T** *ommit *i** s*ows ***** t*sts *lo*kin* 'x = J*nkins.**tInst*n**()' in *onstru*tor p*r*m*t*rs w**n **llin* `sup*r()`, *n* t** p*t** up*r**** `*roovy-s*n**ox` to **n*l* t**s* *xpr*ssions. T** vuln*r**ility sp**i*i**lly involv** improp*r **n*lin* o*

10

Basic Information

Concerned about an active attack path?

CVE-2019-10431: Improper Control of Generation of Code in Jenkins Script Security Plugin

10

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI