Critical severityCISA KEVNVD Advisory· Published Mar 8, 2019· Updated Oct 21, 2025

CVE-2019-1003030

Description

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins.workflow:workflow-cpsMaven	< 2.64	2.64

Affected products

Jenkins project/Jenkins Pipeline: Groovy Pluginv5
Range: 2.63 and earlier

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/errata/RHSA-2019:0739ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-r6mc-mrvr-23crghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-1003030ghsaADVISORY
packetstormsecurity.com/files/159603/Jenkins-2.63-Sandbox-Bypass.htmlghsax_refsource_MISCWEB
www.securityfocus.com/bid/107476mitrevdb-entryx_refsource_BID
jenkins.io/security/advisory/2019-03-06/mitrex_refsource_CONFIRM
jenkins.io/security/advisory/2019-03-06/ghsaWEB
www.cisa.gov/known-exploited-vulnerabilities-catalogghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.074
exploit	0.030
kev	0.120
patch	0.000
ransomware	0.000