Critical severityNVD Advisory· Published Apr 18, 2019· Updated Aug 4, 2024
CVE-2019-10306
CVE-2019-10306
Description
A sandbox bypass vulnerability in Jenkins ontrack Plugin 3.4 and earlier allowed attackers with control over ontrack DSL definitions to execute arbitrary code on the Jenkins master JVM.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:ontrackMaven | < 3.4.1 | 3.4.1 |
Affected products
1- Range: 3.4 and earlier
Patches
17f0f806c18fdSECURITY-1341 Fixing SECURITY-1336 / CVE-2019-1003029 / https://jenkins.io/security/advisory/2019-03-06
3 files changed · +13 −19
pom.xml+1 −1 modified@@ -85,7 +85,7 @@ <dependency> <groupId>org.jenkins-ci.plugins</groupId> <artifactId>script-security</artifactId> - <version>1.30</version> + <version>1.57</version> </dependency> <!-- Pipeline Step API --> <dependency>
src/main/java/net/nemerosa/ontrack/jenkins/dsl/AbstractDSLLauncher.java+9 −12 modified@@ -3,9 +3,10 @@ import groovy.lang.Binding; import groovy.lang.GroovyCodeSource; import groovy.lang.GroovyShell; -import groovy.lang.Script; import org.codehaus.groovy.control.CompilerConfiguration; +import java.util.Collections; + import static groovy.lang.GroovyShell.DEFAULT_CODE_BASE; public abstract class AbstractDSLLauncher implements DSLLauncher { @@ -14,27 +15,23 @@ public abstract class AbstractDSLLauncher implements DSLLauncher { public Object run(String dsl, Binding binding) { CompilerConfiguration compilerConfiguration = prepareCompilerConfiguration(); ClassLoader classLoader = prepareClassLoader(AbstractDSLLauncher.class.getClassLoader()); - GroovyCodeSource groovyCodeSource = prepareGroovyCodeSource(dsl); // Groovy shell GroovyShell shell = new GroovyShell( classLoader, - new Binding(), + binding, compilerConfiguration ); - // Groovy script - Script groovyScript = shell.parse(groovyCodeSource); - - // Binding - groovyScript.setBinding(binding); - // Runs the script - return run(groovyScript); + return run(shell, dsl); } - protected Object run(Script groovyScript) { - return groovyScript.run(); + protected Object run(GroovyShell groovyShell, String script) { + return groovyShell.run( + prepareGroovyCodeSource(script), + Collections.emptyList() + ); } protected GroovyCodeSource prepareGroovyCodeSource(String dsl) {
src/main/java/net/nemerosa/ontrack/jenkins/dsl/SandboxDSLLauncher.java+3 −6 modified@@ -1,10 +1,7 @@ package net.nemerosa.ontrack.jenkins.dsl; -import groovy.lang.Script; +import groovy.lang.GroovyShell; import hudson.model.Item; -import hudson.security.ACL; -import jenkins.model.Jenkins; -import org.acegisecurity.AccessDeniedException; import org.codehaus.groovy.control.CompilerConfiguration; import org.jenkinsci.plugins.scriptsecurity.sandbox.RejectedAccessException; import org.jenkinsci.plugins.scriptsecurity.sandbox.Whitelist; @@ -32,9 +29,9 @@ protected ClassLoader prepareClassLoader(ClassLoader classLoader) { } @Override - protected Object run(Script groovyScript) { + protected Object run(GroovyShell groovyShell, String script) { try { - return GroovySandbox.run(groovyScript, new ProxyWhitelist(Whitelist.all(), new OntrackDSLWhitelist())); + return GroovySandbox.run(groovyShell, script, new ProxyWhitelist(Whitelist.all(), new OntrackDSLWhitelist())); } catch (RejectedAccessException e) { throw new OntrackDSLException( e.getMessage(),
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-qw28-g63m-jxqvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10306ghsaADVISORY
- www.securityfocus.com/bid/108045ghsavdb-entryx_refsource_BIDWEB
- github.com/jenkinsci/ontrack-plugin/commit/7f0f806c18fdd6043103d848ba4c813cb805dd85ghsaWEB
- jenkins.io/security/advisory/2019-04-17/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.