CVE-2019-1003032
Description
A sandbox bypass vulnerability exists in Jenkins Email Extension Plugin 2.64 and earlier in pom.xml, src/main/java/hudson/plugins/emailext/ExtendedEmailPublisher.java, src/main/java/hudson/plugins/emailext/plugins/content/EmailExtScript.java, src/main/java/hudson/plugins/emailext/plugins/content/ScriptContent.java, src/main/java/hudson/plugins/emailext/plugins/trigger/AbstractScriptTrigger.java that allows attackers with Job/Configure permission to execute arbitrary code on the Jenkins master JVM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Email Extension Plugin ≤2.64 allows users with Job/Configure permission to bypass the sandbox and execute arbitrary code on the master JVM.
Vulnerability
A sandbox bypass vulnerability exists in the Jenkins Email Extension Plugin version 2.64 and earlier [1][2][3]. The flaw is present in multiple source files including ExtendedEmailPublisher.java, EmailExtScript.java, ScriptContent.java, and AbstractScriptTrigger.java, allowing attackers with Job/Configure permission to escape the Groovy sandbox and execute arbitrary code on the Jenkins master JVM [2][3].
Exploitation
An attacker must have Job/Configure permission for a Jenkins project that uses the Email Extension Plugin [2]. The attacker can craft a malicious Groovy script within the email extension configuration (e.g., in script-based content or triggers). When the plugin evaluates this script, the sandbox protection is bypassed, leading to code execution on the master [2][3].
Impact
Successful exploitation allows the attacker to execute arbitrary code on the Jenkins master JVM, potentially leading to full compromise of the Jenkins controller, disclosure of sensitive information, and the ability to perform further attacks on connected systems [2][3].
Mitigation
The vulnerability is fixed in Email Extension Plugin version 2.65, released on 2019-03-06 [2]. Users should upgrade immediately. There is no known workaround for versions 2.64 and earlier [2][3]. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:email-extMaven | < 2.65 | 2.65 |
Affected products
2- Jenkins project/Jenkins Email Extension Pluginv5Range: 2.64 and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-qwm8-vgm6-f86pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003032ghsaADVISORY
- www.securityfocus.com/bid/107476ghsavdb-entryx_refsource_BIDWEB
- jenkins.io/security/advisory/2019-03-06/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.