Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-xfmw-gut6-ryd3
Vulnerability ID VCID-xfmw-gut6-ryd3
Aliases CVE-2019-1003030
GHSA-r6mc-mrvr-23cr
Summary Sandbox bypass in Jenkins Pipeline: Groovy Plugin A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.
Status Published
Exploitability 2.0
Weighted Severity 9.0
Risk 10.0
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-693 Protection Mechanism Failure
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-20 Improper Input Validation
System Score Found at
cvssv3.1 9.9 http://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html
cvssv3.1 9.9 http://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html
generic_textual CRITICAL http://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html
ssvc Attend http://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html
cvssv3.1 9.9 https://access.redhat.com/errata/RHSA-2019:0739
cvssv3.1 9.9 https://access.redhat.com/errata/RHSA-2019:0739
generic_textual CRITICAL https://access.redhat.com/errata/RHSA-2019:0739
ssvc Attend https://access.redhat.com/errata/RHSA-2019:0739
cvssv3 8.8 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1003030.json
epss 0.92885 https://api.first.org/data/v1/epss?cve=CVE-2019-1003030
epss 0.92885 https://api.first.org/data/v1/epss?cve=CVE-2019-1003030
epss 0.92885 https://api.first.org/data/v1/epss?cve=CVE-2019-1003030
epss 0.92885 https://api.first.org/data/v1/epss?cve=CVE-2019-1003030
epss 0.92885 https://api.first.org/data/v1/epss?cve=CVE-2019-1003030
epss 0.93052 https://api.first.org/data/v1/epss?cve=CVE-2019-1003030
epss 0.93052 https://api.first.org/data/v1/epss?cve=CVE-2019-1003030
epss 0.93052 https://api.first.org/data/v1/epss?cve=CVE-2019-1003030
cvssv3.1_qr CRITICAL https://github.com/advisories/GHSA-r6mc-mrvr-23cr
cvssv3.1 9.9 https://github.com/jenkinsci/workflow-cps-plugin
generic_textual CRITICAL https://github.com/jenkinsci/workflow-cps-plugin
cvssv3.1 9.9 https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20(2)
generic_textual CRITICAL https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20(2)
cvssv3.1 9.9 https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20%282%29
ssvc Attend https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20%282%29
cvssv2 6.5 https://nvd.nist.gov/vuln/detail/CVE-2019-1003030
cvssv3.1 9.9 https://nvd.nist.gov/vuln/detail/CVE-2019-1003030
cvssv3.1 9.9 https://nvd.nist.gov/vuln/detail/CVE-2019-1003030
generic_textual CRITICAL https://nvd.nist.gov/vuln/detail/CVE-2019-1003030
cvssv3.1 9.9 https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1003030
generic_textual CRITICAL https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1003030
cvssv3.1 9.9 http://www.securityfocus.com/bid/107476
ssvc Attend http://www.securityfocus.com/bid/107476
Reference id Reference type URL
http://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html
https://access.redhat.com/errata/RHSA-2019:0739
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1003030.json
https://api.first.org/data/v1/epss?cve=CVE-2019-1003030
https://github.com/jenkinsci/workflow-cps-plugin
https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20(2)
https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20%282%29
https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1003030
http://www.securityfocus.com/bid/107476
1690665 https://bugzilla.redhat.com/show_bug.cgi?id=1690665
cpe:2.3:a:jenkins:pipeline\:_groovy:*:*:*:*:*:jenkins:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:jenkins:pipeline\:_groovy:*:*:*:*:*:jenkins:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openshift_container_platform:3.11:*:*:*:*:*:*:*
CVE-2019-1003030 Exploit https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/java/webapps/48904.txt
CVE-2019-1003030 https://nvd.nist.gov/vuln/detail/CVE-2019-1003030
GHSA-r6mc-mrvr-23cr https://github.com/advisories/GHSA-r6mc-mrvr-23cr
Data source Exploit-DB
Date added Oct. 19, 2020
Description Jenkins 2.63 - Sandbox bypass in pipeline: Groovy plug-in
Ransomware campaign use Unknown
Source publication date Oct. 19, 2020
Exploit type webapps
Platform java
Source update date Oct. 19, 2020
Data source KEV
Date added March 25, 2022
Description Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution.
Required action Apply updates per vendor instructions.
Due date April 15, 2022
Note 
https://nvd.nist.gov/vuln/detail/CVE-2019-1003030
Ransomware campaign use Unknown
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at http://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at http://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:07:24Z/ Found at http://packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.html
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://access.redhat.com/errata/RHSA-2019:0739
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://access.redhat.com/errata/RHSA-2019:0739
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:07:24Z/ Found at https://access.redhat.com/errata/RHSA-2019:0739
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-1003030.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://github.com/jenkinsci/workflow-cps-plugin
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20(2)
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20%282%29
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:07:24Z/ Found at https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20%282%29
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2019-1003030
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-1003030
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://nvd.nist.gov/vuln/detail/CVE-2019-1003030
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:H Found at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-1003030
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Found at http://www.securityfocus.com/bid/107476
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:A/A:N/T:T/P:M/B:A/M:M/D:A/2025-02-07T13:07:24Z/ Found at http://www.securityfocus.com/bid/107476
Exploit Prediction Scoring System (EPSS)
Percentile 0.9977
EPSS Score 0.92885
Published At April 13, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:50:08.748804+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins.workflow/workflow-cps/CVE-2019-1003030.yml 38.0.0