CVE-2019-10431
CRITICALJenkins Script Security Plugin < 1.64 - Sandbox Bypass via Default Parameter Expressions
Title source: llmDescription
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1579
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
http://www.openwall.com/lists/oss-security/2019/10/01/2
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:4097
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:4055
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:4089
Scores
CVSS v3
9.9
EPSS
0.0034
EPSS Percentile
56.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Details
CWE
CWE-94
Status
published
Products (2)
jenkins/script_security
< 1.64
org.jenkins-ci.plugins/script-security
0 - 1.65Maven
Published
Oct 01, 2019
Tracked Since
Feb 18, 2026