CVE-2019-10355

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.61 and earlier related to the handling of type casts allowed attackers to execute arbitrary code in sandboxed scripts.

Published: Jul 31, 2019
Updated: Oct 26, 2023
CVE: CVE-2019-10355
GHSA: GHSA-p56j-x44h-g66j
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 6.5
AV:N/AC:L/Au:S/C:P/I:P/A:P

CWEs:

CWE-266
CWE-704

Affected Software
References

Software	From	Fixed in
jenkins / script_security	-	1.61.x
redhat / openshift_container_platform	3.11	3.11.x
redhat / openshift_container_platform	4.1	4.1.x
org.jenkins-ci.plugins / script-security	-	1.62

http://www.openwall.com/lists/oss-security/2019/07/31/1
https://access.redhat.com/errata/RHSA-2019:2594
https://access.redhat.com/errata/RHSA-2019:2651
https://access.redhat.com/errata/RHSA-2019:2662
https://github.com/jenkinsci/script-security-plugin/commit/5dc2e2465f309c772237a4b2de9caf61ba9b585b
https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1465
https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1465%20(1)
https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1465%20%281%29

Vulnerability Database

289,689

CVE-2019-10355