CVE-2019-1003029
CRITICALSandbox bypass in Script Security Plugin
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
org.jenkins-ci.plugins:script-securityReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.
Description
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| ☕Maven | org.jenkins-ci.plugins:script-security | all versions | 1.54 |
Research use only. For defensive security, authorized penetration testing, and academic research only. Never execute exploit code against systems without explicit written authorization.
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin …
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin …
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin …
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin …
Frequently Asked Questions
Is CVE-2019-1003029 in your stack?
O3 detects CVE-2019-1003029 across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.