Critical severityNVD Advisory· Published Mar 28, 2019· Updated Aug 5, 2024

CVE-2019-1003040

Description

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Sandbox bypass in Jenkins Script Security Plugin <=1.55 allows attackers to invoke arbitrary constructors via type casts/coercion.

Vulnerability

The Jenkins Script Security Plugin versions 1.55 and earlier contain a sandbox bypass vulnerability. The sandbox protection could be circumvented through methods supporting type casts and type coercion, allowing attackers to invoke constructors for arbitrary types [2]. This affects the script-security plugin and is related to the Pipeline: Groovy Plugin (CVE-2019-1003041).

Exploitation

An attacker with the ability to run sandboxed scripts (e.g., users with Job/Configure permission) can craft a Groovy script that uses type casts or type coercion to invoke constructors for arbitrary Java types. The sandbox normally restricts such invocations, but the bypass allows the attacker to call constructors that are not explicitly whitelisted [2][4].

Impact

Successful exploitation enables the attacker to invoke arbitrary constructors, which can lead to arbitrary code execution within the Jenkins controller. This compromises the confidentiality, integrity, and availability of Jenkins and its managed jobs [2].

Mitigation

The vulnerability is fixed in Script Security Plugin version 1.56, released on 2019-03-25 [2]. Users should upgrade to version 1.56 or later. No workaround is available; upgrading is the only mitigation [2][4].

References

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins:script-securityMaven	< 1.56	1.56

Affected products

ghsa-coords
pkg:maven/org.jenkins-ci.plugins/script-security
Range: < 1.56
Jenkins project/Jenkins Script Security Pluginv5
Range: 1.55 and earlier

Patches

8424ad90547e

[SECURITY-1353] Problems with casts

https://github.com/jenkinsci/script-security-pluginJesse GlickMar 18, 2019via ghsa

commit

4 files changed · +24 −8

pom.xml+3 −3 modified

@@ -16,8 +16,8 @@
     <properties>
       <revision>1.56</revision>
       <changelist>-SNAPSHOT</changelist>
-      <jenkins.version>2.7.3</jenkins.version>
-      <java.level>7</java.level>
+      <jenkins.version>2.60.3</jenkins.version>
+      <java.level>8</java.level>
     </properties>
     <licenses>
         <license>
@@ -50,7 +50,7 @@
     <dependency>
       <groupId>org.kohsuke</groupId>
       <artifactId>groovy-sandbox</artifactId>
-      <version>1.20</version>
+      <version>1.21</version>
       <exclusions>
         <exclusion>
           <groupId>org.codehaus.groovy</groupId>

src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/blacklist+4 −0 modified

@@ -104,5 +104,9 @@ staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getMetaPropertyVal
 staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods getProperties java.lang.Object
 staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethods putAt java.lang.Object java.lang.String java.lang.Object
 
+# SECURITY-1353
+staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter asType java.lang.Object java.lang.Class
+staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter castToType java.lang.Object java.lang.Class
+
 # TODO do we need a @Blacklisted annotation?
 method org.jenkinsci.plugins.workflow.support.steps.build.RunWrapper getRawBuild

src/main/resources/org/jenkinsci/plugins/scriptsecurity/sandbox/whitelists/generic-whitelist+0 −1 modified

@@ -724,7 +724,6 @@ staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethodsSupport createSimil
 staticMethod org.codehaus.groovy.runtime.DefaultGroovyMethodsSupport createSimilarMap java.util.Map
 staticMethod org.codehaus.groovy.runtime.InvokerHelper asIterator java.lang.Object
 staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter bitwiseNegate java.lang.Object
-staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter castToType java.lang.Object java.lang.Class
 staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter compareEqual java.lang.Object java.lang.Object
 staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter compareGreaterThan java.lang.Object java.lang.Object
 staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter compareGreaterThanEqual java.lang.Object java.lang.Object

src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java+17 −4 modified

@@ -39,6 +39,7 @@
 import groovy.text.Template;
 import hudson.Functions;
 import hudson.util.IOUtils;
+import java.lang.reflect.Constructor;
 
 import java.lang.reflect.Method;
 import java.net.URL;
@@ -592,10 +593,13 @@ public String toString() {
             @Override public boolean permitsMethod(Method method, Object receiver, Object[] args) {
                 return method.getDeclaringClass() == GroovyObject.class && method.getName().equals("getProperty") && receiver instanceof SpecialScript && args[0].equals("magic");
             }
+            @Override public boolean permitsConstructor(Constructor<?> constructor, Object[] args) {
+                return constructor.getDeclaringClass() == SpecialScript.class;
+            }
         };
-        assertEquals(42, GroovySandbox.run(shell.parse("magic"), wl));
+        assertEquals(42, GroovySandbox.run(shell, "magic", wl));
         try {
-            GroovySandbox.run(shell.parse("boring"), wl);
+            GroovySandbox.run(shell, "boring", wl);
         } catch (MissingPropertyException x) {
             assertEquals("boring", x.getProperty());
         }
@@ -619,12 +623,21 @@ public static abstract class SpecialScript extends Script {
         assertEvaluate(new StaticWhitelist("new java.util.Properties"), new Properties(), script);
     }
 
-    @Issue("SECURITY-566")
+    @Issue({"SECURITY-566", "SECURITY-1353"})
     @Test public void typeCoercion() throws Exception {
         assertRejected(new StaticWhitelist("staticMethod java.util.Locale getDefault"), "method java.util.Locale getCountry", "interface I {String getCountry()}; (Locale.getDefault() as I).getCountry()");
         assertRejected(new StaticWhitelist("staticMethod java.util.Locale getDefault"), "method java.util.Locale getCountry", "interface I {String getCountry()}; (Locale.getDefault() as I).country");
         assertRejected(new ProxyWhitelist(), "staticMethod java.util.Locale getAvailableLocales", "interface I {Locale[] getAvailableLocales()}; (Locale as I).getAvailableLocales()");
         assertRejected(new ProxyWhitelist(), "staticMethod java.util.Locale getAvailableLocales", "interface I {Locale[] getAvailableLocales()}; (Locale as I).availableLocales");
+        assertEvaluate(new StaticWhitelist("staticMethod java.lang.Math max int int"), 3.0d, "(double) Math.max(2, 3)");
+        assertEvaluate(new StaticWhitelist("staticMethod java.lang.Math max int int"), 3.0d, "Math.max(2, 3) as double");
+        assertEvaluate(new StaticWhitelist("staticMethod java.lang.Math max int int"), 3.0d, "double x = Math.max(2, 3); x");
+        assertRejected(new GenericWhitelist(), "staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter asType java.lang.Object java.lang.Class",
+            "def f = org.codehaus.groovy.runtime.ScriptBytecodeAdapter.asType(['/tmp'], File); echo(/$f/)");
+        assertRejected(new GenericWhitelist(), "staticMethod org.codehaus.groovy.runtime.ScriptBytecodeAdapter castToType java.lang.Object java.lang.Class",
+            "def f = org.codehaus.groovy.runtime.ScriptBytecodeAdapter.castToType(['/tmp'], File); echo(/$f/)");
+        assertRejected(new GenericWhitelist(), "new java.io.File java.lang.String",
+            "def f = org.kohsuke.groovy.sandbox.impl.Checker.checkedCast(File, ['/tmp'], true, false, false); echo(/$f/)");
     }
 
     @Issue("SECURITY-580")
@@ -847,7 +860,7 @@ public void blockedASTTransformsGrab() throws Exception {
 
     private static Object evaluate(Whitelist whitelist, String script) {
         GroovyShell shell = new GroovyShell(GroovySandbox.createSecureCompilerConfiguration());
-        Object actual = GroovySandbox.run(shell.parse(script), whitelist);
+        Object actual = GroovySandbox.run(shell, script, whitelist);
         if (actual instanceof GString) {
             actual = actual.toString(); // for ease of comparison
         }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

access.redhat.com/errata/RHSA-2019:1423ghsavendor-advisoryx_refsource_REDHATWEB
github.com/advisories/GHSA-3pv3-jj4h-p528ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-1003040ghsaADVISORY
www.openwall.com/lists/oss-security/2019/03/28/2ghsamailing-listx_refsource_MLISTWEB
www.securityfocus.com/bid/107628ghsavdb-entryx_refsource_BIDWEB
github.com/jenkinsci/script-security-plugin/commit/8424ad90547e37a2bd3b6a3a7da48eb1af9cd0eeghsaWEB
jenkins.io/security/advisory/2019-03-25/ghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000