CVE-2019-10394
Description
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions on the left-hand side of assignment expressions allowed attackers to execute arbitrary code in sandboxed scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A sandbox bypass in Jenkins Script Security Plugin <=1.62 lets attackers use crafted property names in assignment expressions to execute arbitrary code.
Sandbox
Bypass via Property Name Crafting
The Script Security Plugin enforces a Groovy sandbox to limit what scripts authored by non-admin users can do [1]. CVE-2019-10394 arises from a flaw in the handling of property names on the left-hand side of assignment expressions: the sandbox did not correctly validate these names, allowing specially crafted property names to escape the sandbox [2][3]. Version 1.62 and all earlier releases are affected [2].
Exploitation
To exploit this vulnerability, an attacker needs the ability to define or modify a Groovy script that runs in the Script Security sandbox (e.g., by having Job/Configure permission) [1][3]. By constructing an assignment statement such that the left-hand side uses a maliciously crafted property name, the attacker can bypass the sandbox's method‑call and property‑access controls [3]. No other special privileges are required after that point.
Impact
Successful exploitation allows the attacker to execute arbitrary code inside the sandboxed script context [2][3]. Because the sandbox is intended to prevent such code from reaching Jenkins internals, this bypass effectively removes the security boundary. An attacker could then potentially perform actions equivalent to a fully trusted script author, including accessing sensitive configuration, altering job definitions, or triggering further attacks [1].
Mitigation
The Jenkins Security Advisory for 2019‑09‑12 announced the fix, urging users to upgrade Script Security Plugin to version 1.63 or later [3][4]. There is no known workaround short of upgrading [3]. The vulnerability is rated High severity (CVSS 3.x not provided in the references, but advisory labels it High) [3].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:script-securityMaven | < 1.63 | 1.63 |
Affected products
2- Jenkins project/Jenkins Script Security Pluginv5Range: 1.62 and earlier
Patches
1b28e4dc5584e[SECURITY-1538] Problems with method and property names and increment/decrement operators
2 files changed · +36 −1
pom.xml+1 −1 modified@@ -50,7 +50,7 @@ <dependency> <groupId>org.kohsuke</groupId> <artifactId>groovy-sandbox</artifactId> - <version>1.22</version> + <version>1.23</version> <exclusions> <exclusion> <groupId>org.codehaus.groovy</groupId>
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java+35 −0 modified@@ -1226,4 +1226,39 @@ public void scriptInitializersClassSyntax() throws Exception { " def run() { MyScript.foo }\n" + "}\n"); } + + @Issue("SECURITY-1538") + @Test public void blockMethodNameInMethodCalls() throws Exception { + assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance", + "import jenkins.model.Jenkins\n" + + "1.({ Jenkins.getInstance(); 'toString' }())()"); + } + + @Issue("SECURITY-1538") + @Test public void blockPropertyNameInAssignment() throws Exception { + assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance", + "import jenkins.model.Jenkins\n" + + "class Test { def x = 0 }\n" + + "def t = new Test()\n" + + "t.({ Jenkins.getInstance(); 'x' }()) = 1\n"); + } + + @Issue("SECURITY-1538") + @Test public void blockPropertyNameInPrefixPostfixExpressions() throws Exception { + assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance", + "import jenkins.model.Jenkins\n" + + "class Test { def x = 0 }\n" + + "def t = new Test()\n" + + "t.({ Jenkins.getInstance(); 'x' }())++\n"); + } + + @Issue("SECURITY-1538") + @Test public void blockSubexpressionsInPrefixPostfixExpressions() throws Exception { + assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance", + "import jenkins.model.Jenkins\n" + + "++({ Jenkins.getInstance(); 1 }())\n"); + assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance", + "import jenkins.model.Jenkins\n" + + "({ Jenkins.getInstance(); 1 }())++\n"); + } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-hvmx-5hv4-f235ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10394ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/09/12/2ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/script-security-plugin/commit/b28e4dc5584ef6515aeb9bc834691176546d0689ghsaWEB
- jenkins.io/security/advisory/2019-09-12/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.