KEVIntel

Vulnerability detail

Enriched intelligence for a single CVE

Back to KEVs

9.9

CVSS
Critical

CVE-2019-1003029

PUBLISHED

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in...

Exploited in the wild Remote Low complexity No user interaction

Vendor: Jenkins project
Product: Jenkins Script Security Plugin
Published: Mar 08, 2019
EPSS: —

Description

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.

java cisa metasploit

CVSS scores

CVSS v3.1 9.9 Critical

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CVSS v2.0 6.5

AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitation status

Exploited in the wild

Recorded 2022-04-25 00:00:00 UTC · Source

SSVC decision points

Exploitation: active
Automatable: No
Technical impact: total

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
CISA	Apr 25, 2022

Scanner integrations

Scanner	Reference	Detected
Metasploit	https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/jenkins_metaprogramming.rb	Apr 28, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

jenkins_metaprogramming

metasploit · Created Unknown

Metasploit module for CVE-2019-1003029

Timeline

CVE ID Reserved

March 08, 2019
CVE Published to Public

March 08, 2019
Added to KEVIntel

April 25, 2022
Detected by Metasploit

April 28, 2025