CVE-2019-1003029

CVE-2019-1003029 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added April 25, 2022. EIP tracks 1 public exploit from researchers including Orange Tsai, Mikhail Egorov, George Noseevich, wvu, including a Metasploit module exploits/multi/http/jenkins_metaprogramming.

AI-analyzed exploit summary This Metasploit module exploits CVE-2019-1003029 in Jenkins by bypassing ACLs via dynamic routing and leveraging Groovy metaprogramming for RCE. It supports two targets: Unix in-memory execution and Java dropper payloads.

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java, src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SecureGroovyScript.java that allows attackers with Overall/Read permission to execute arbitrary code on the Jenkins master JVM.