CVE-2019-1003030

CRITICAL KEV

Jenkins Pipeline: Groovy Plugin <2.63 - RCE

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2019-1003030 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added March 25, 2022. EIP tracks 2 public exploits from researchers including Daniel Morris, overgrowncarrot1.

AI-analyzed exploit summary This exploit bypasses the Groovy sandbox in Jenkins 2.63 by sending a crafted HTTP GET request to execute arbitrary commands via the SecureGroovyScript endpoint. The payload URL-encodes a Groovy class that executes a ping command, demonstrating RCE.

Description

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.

Exploits (2)

exploitdb WORKING POC
by Daniel Morris · textwebappsjava
https://www.exploit-db.com/exploits/48904

This exploit bypasses the Groovy sandbox in Jenkins 2.63 by sending a crafted HTTP GET request to execute arbitrary commands via the SecureGroovyScript endpoint. The payload URL-encodes a Groovy class that executes a ping command, demonstrating RCE.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Trivial
Reliability
Reliable
Target: Jenkins 2.63 with pipeline: Groovy plug-in
Auth required
Prerequisites: Valid Jenkins session (JSESSIONID cookie) · Network access to Jenkins instance · Pipeline: Groovy plug-in enabled
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC 1 stars
by overgrowncarrot1 · remote
https://github.com/overgrowncarrot1/CVE-2019-1003030

This repository contains a functional exploit for CVE-2019-1003030, a Jenkins RCE vulnerability. The script leverages the Jenkins Script Security Plugin's sandbox bypass to upload and execute a reverse shell.

Classification
Working Poc 95%
Attack Type
Rce
Complexity
Moderate
Reliability
Reliable
Target: Jenkins with Script Security Plugin
Auth required
Prerequisites: Jenkins instance with Script Security Plugin · Valid Jenkins Crumb · Writeable folder on target
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5
Core References
Broken Link, Third Party Advisory, VDB Entry vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/107476
Third Party Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:0739
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
http://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html

Scores

CVSS v3 9.9
EPSS 0.9182
EPSS Percentile 99.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation active
Automatable no
Technical Impact total

Details

CISA KEV 2022-03-25
VulnCheck KEV 2021-10-13
InTheWild.io 2021-09-27
ENISA EUVD EUVD-2022-5117
CWE
CWE-693
Status published
Products (3)
jenkins/pipeline\ < 2.63
org.jenkins-ci.plugins.workflow/workflow-cps 0 - 2.64Maven
redhat/openshift_container_platform 3.11
Published Mar 08, 2019
KEV Added Mar 25, 2022
Tracked Since Feb 18, 2026