{"id":"CVE-2019-1003030","details":"A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.","aliases":["GHSA-r6mc-mrvr-23cr"],"modified":"2026-05-28T04:04:51.636911477Z","published":"2019-03-08T21:29:00.343Z","database_specific":{"unresolved_ranges":[{"cpes":["cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*"],"extracted_events":[{"last_affected":"3.11"}],"source":"CPE_STRING","vendor_product":"redhat:openshift_container_platform"}]},"references":[{"type":"WEB","url":"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1003030"},{"type":"ADVISORY","url":"http://www.securityfocus.com/bid/107476"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:0739"},{"type":"ADVISORY","url":"https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20%282%29"},{"type":"EVIDENCE","url":"http://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/workflow-cps-plugin","events":[{"introduced":"0"},{"last_affected":"a082c2fef7b48a125ecb8c3211bf544c7793f904"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"2.63"}],"source":"CPE_RANGE","cpe":"cpe:2.3:a:jenkins:pipeline\\:_groovy:*:*:*:*:*:jenkins:*:*"}}],"versions":["workflow-cps-2.63","workflow-cps-2.62","workflow-cps-2.61","workflow-cps-2.60","workflow-cps-2.59","workflow-cps-2.58","workflow-cps-2.58-beta-1","workflow-cps-2.57","workflow-cps-2.56","workflow-cps-2.55","workflow-cps-2.54","workflow-cps-2.53","workflow-cps-2.52","workflow-cps-2.51","workflow-cps-2.50","workflow-cps-2.49","workflow-cps-2.48","workflow-cps-2.47","workflow-cps-2.46","workflow-cps-2.45","workflow-cps-2.44","workflow-cps-2.43","workflow-cps-2.42","workflow-cps-2.41","workflow-cps-2.40","workflow-cps-2.39","workflow-cps-2.36","workflow-cps-2.35","workflow-cps-2.34","workflow-cps-2.33","workflow-cps-2.32","workflow-cps-2.31","workflow-cps-2.30","workflow-cps-2.29","workflow-cps-2.28","workflow-cps-2.27","workflow-cps-2.26","workflow-cps-2.25","workflow-cps-2.24","workflow-cps-2.23","workflow-cps-2.22","workflow-cps-2.21","workflow-cps-2.20","workflow-cps-2.19","workflow-cps-2.18","workflow-cps-2.17","workflow-cps-2.16","workflow-cps-2.15","workflow-cps-2.14","workflow-cps-2.13","workflow-cps-2.12","workflow-cps-2.11","workflow-cps-2.10","workflow-cps-2.9","workflow-cps-2.8","workflow-cps-2.7","workflow-cps-2.6","workflow-cps-2.5","workflow-cps-2.4","workflow-cps-2.3","workflow-cps-2.2","workflow-cps-2.1","workflow-cps-2.0"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-1003030.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"}]}