CVE-2019-1003033
Description
Jenkins Groovy Plugin 2.1 and earlier allows attackers with Overall/Read permission to bypass the sandbox and execute arbitrary code on the Jenkins master JVM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Groovy Plugin 2.1 and earlier allows attackers with Overall/Read permission to bypass the sandbox and execute arbitrary code on the Jenkins master JVM.
Vulnerability
A sandbox bypass vulnerability exists in Jenkins Groovy Plugin versions 2.1 and earlier. The issue is located in src/main/java/hudson/plugins/groovy/StringScriptSource.java and affects the script validation endpoint exposed by the plugin. The plugin failed to apply sandbox protection during parsing, compilation, and script instantiation, allowing a crafted Groovy script to circumvent the security sandbox. The vulnerability is triggered via the doCheckScript method, which previously used GroovyShell directly without sandboxing [1][2][3].
Exploitation
An attacker needs to have Overall/Read permission on the Jenkins instance. The attacker can provide a crafted Groovy script to the script validation HTTP endpoint. By exploiting the lack of sandbox protection during parsing and compilation, the attacker's script is executed without the constraints normally applied by the Script Security Plugin. The fix involved updating the Script Security dependency and replacing the unsafe GroovyShell.parse() call with GroovySandbox.checkScriptForCompilationErrors() [1][3].
Impact
Successful exploitation allows the attacker to execute arbitrary code on the Jenkins master JVM. This results in complete compromise of the Jenkins controller, including the ability to read, modify, or delete any data accessible to the Jenkins process, and potentially pivot to other systems reachable from the master [1][2].
Mitigation
The vulnerability is fixed in Jenkins Groovy Plugin version 2.2, released on 2019-03-06 [1]. Users should upgrade to version 2.2 or later. The fix updates the dependency on script-security to version 1.54 and replaces the insecure script validation with a sandboxed check. No known workarounds exist for versions 2.1 and earlier [1][3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:groovyMaven | < 2.2 | 2.2 |
Affected products
2- Range: 2.1 and earlier
Patches
140777c212d45[SECURITY-1338] Prevent unsandboxed invocation of constructors
3 files changed · +19 −9
pom.xml+1 −1 modified@@ -53,7 +53,7 @@ <dependency> <groupId>org.jenkins-ci.plugins</groupId> <artifactId>script-security</artifactId> - <version>1.50</version> + <version>1.54</version> </dependency> </dependencies>
src/main/java/hudson/plugins/groovy/StringScriptSource.java+3 −8 modified@@ -1,6 +1,5 @@ package hudson.plugins.groovy; -import groovy.lang.GroovyShell; import hudson.Extension; import hudson.FilePath; import hudson.model.BuildListener; @@ -9,10 +8,10 @@ import hudson.util.FormValidation; import java.io.IOException; -import org.codehaus.groovy.control.CompilationFailedException; import org.jenkinsci.plugins.scriptsecurity.sandbox.groovy.GroovySandbox; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; +import org.kohsuke.stapler.interceptor.RequirePOST; /** * Groovy script specified by command string. @@ -63,16 +62,12 @@ public String getDisplayName() { return "Groovy command"; } + @RequirePOST public FormValidation doCheckScript(@QueryParameter String command) { if (command == null || command.trim().isEmpty()) return FormValidation.error("Script seems to be empty string!"); - try { - new GroovyShell(GroovySandbox.createSecureCompilerConfiguration()).parse(command); - return FormValidation.ok("So far so good"); - } catch (CompilationFailedException e) { - return FormValidation.error(e.getMessage()); - } + return GroovySandbox.checkScriptForCompilationErrors(command, null); } } }
src/test/java/hudson/plugins/groovy/StringScriptSourceTest.java+15 −0 modified@@ -24,12 +24,14 @@ package hudson.plugins.groovy; +import hudson.util.FormValidation; import org.junit.Rule; import org.junit.Test; import org.jvnet.hudson.test.Issue; import org.jvnet.hudson.test.JenkinsRule; import static org.hamcrest.Matchers.containsString; +import static org.hamcrest.Matchers.equalTo; import static org.junit.Assert.assertNull; import static org.junit.Assert.assertThat; @@ -58,4 +60,17 @@ public void blockGrab() throws Exception { assertThat(d.doCheckScript("@Grab(group='foo', module='bar', version='1.0')\ndef foo\n").toString(), containsString("Annotation Grab cannot be used in the sandbox")); } + + @Issue("SECURITY-1338") + @Test + public void doNotExecuteConstructors() throws Exception { + StringScriptSource.DescriptorImpl d = j.jenkins.getDescriptorByType(StringScriptSource.DescriptorImpl.class); + assertThat(d.doCheckScript("class DoNotRunConstructor {\n" + + " static void main(String[] args) {}\n" + + " DoNotRunConstructor() {\n" + + " assert jenkins.model.Jenkins.instance.createProject(hudson.model.FreeStyleProject, 'should-not-exist')\n" + + " }\n" + + "}\n").kind, equalTo(FormValidation.Kind.OK)); // Compilation ends before the constructor is invoked. + assertNull(j.jenkins.getItem("should-not-exist")); + } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-fm3j-r98g-97jhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-1003033ghsaADVISORY
- www.securityfocus.com/bid/107476ghsavdb-entryx_refsource_BIDWEB
- github.com/jenkinsci/groovy-plugin/commit/40777c212d45031324685b54816212299fbe434fghsaWEB
- jenkins.io/security/advisory/2019-03-06/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.