CVE-2019-1003002: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
(updated )
A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in pipeline-model-definition/src/main/groovy/org/jenkinsci/plugins/pipeline/modeldefinition/parser/Converter.groovy that allows attackers with Overall/Read permission to provide a pipeline script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
References
- packetstormsecurity.com/files/152132/Jenkins-ACL-Bypass-Metaprogramming-Remote-Code-Execution.html
- www.rapid7.com/db/modules/exploit/multi/http/jenkins_metaprogramming
- access.redhat.com/errata/RHBA-2019:0326
- access.redhat.com/errata/RHBA-2019:0327
- github.com/advisories/GHSA-x6jx-cxg3-mggh
- github.com/jenkinsci/pipeline-model-definition-plugin/commit/083abd96e68fd89f556a0cd53db5f878dbf09b92
- jenkins.io/security/advisory/2019-01-08/
- nvd.nist.gov/vuln/detail/CVE-2019-1003002
- www.exploit-db.com/exploits/46572/
Detect and mitigate CVE-2019-1003002 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →