VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 12, 2019· Updated Aug 4, 2024

CVE-2019-10399

CVE-2019-10399

Description

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions in increment and decrement expressions allowed attackers to execute arbitrary code in sandboxed scripts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier allows attackers to execute arbitrary code in sandboxed scripts via crafted property names in increment and decrement expressions.

Overview

A sandbox bypass vulnerability in Jenkins Script Security Plugin versions 1.62 and earlier allowed attackers to execute arbitrary code within the Groovy sandbox by crafting property names in property expressions used in increment (++) and decrement (--) expressions. [1][2] This flaw is part of a group of sandbox bypass issues disclosed in the same security advisory. [3]

Exploitation

To exploit this vulnerability, an attacker needs the ability to define and save a script that uses sandboxed Groovy execution. Typically, this requires a Jenkins user with permissions such as Job/Configure (not necessarily administrator-level Overall/RunScripts) in plugins that integrate with the Script Security plugin. [1] By crafting a property expression that uses specially constructed property names in increment or decrement expressions, the attacker can circumvent the sandbox restrictions that normally prevent access to sensitive APIs. [1][2][3]

Impact

Successful exploitation allows the attacker to execute arbitrary code outside the sandbox, effectively bypassing all script security protections. This can lead to complete compromise of the Jenkins controller, including unauthorized access to all managed resources, credentials, and sensitive information. [2][3] The Jenkins Security Advisory rated this vulnerability as High severity. [3]

Mitigation

The vulnerability was fixed in Script Security Plugin version 1.63, released on 2019-09-12. [4] Users are strongly advised to upgrade to version 1.63 or later. No workarounds are mentioned in the advisory. [3][4]

References
  1. GitHub - jenkinsci/script-security-plugin: Allows Jenkins admins to control what in-process scripts can be run by users
  2. NVD - CVE-2019-10399
  3. Jenkins Security Advisory 2019-09-12
  4. security - Multiple vulnerabilities in Jenkins plugins

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:script-securityMaven
< 1.631.63

Affected products

2

Patches

1
b28e4dc5584e

[SECURITY-1538] Problems with method and property names and increment/decrement operators

https://github.com/jenkinsci/script-security-pluginDevin NusbaumSep 10, 2019via ghsa
commit
2 files changed · +36 1
  • pom.xml+1 1 modified
    @@ -50,7 +50,7 @@
     <dependency>
       <groupId>org.kohsuke</groupId>
       <artifactId>groovy-sandbox</artifactId>
-      <version>1.22</version>
+      <version>1.23</version>
       <exclusions>
         <exclusion>
           <groupId>org.codehaus.groovy</groupId>
  • src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java+35 0 modified
    @@ -1226,4 +1226,39 @@ public void scriptInitializersClassSyntax() throws Exception {
                 "  def run() { MyScript.foo }\n" +
                 "}\n");
     }
+
+    @Issue("SECURITY-1538")
+    @Test public void blockMethodNameInMethodCalls() throws Exception {
+        assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance",
+                "import jenkins.model.Jenkins\n" +
+                "1.({ Jenkins.getInstance(); 'toString' }())()");
+    }
+
+    @Issue("SECURITY-1538")
+    @Test public void blockPropertyNameInAssignment() throws Exception {
+        assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance",
+                "import jenkins.model.Jenkins\n" +
+                "class Test { def x = 0 }\n" +
+                "def t = new Test()\n" +
+                "t.({ Jenkins.getInstance(); 'x' }()) = 1\n");
+    }
+
+    @Issue("SECURITY-1538")
+    @Test public void blockPropertyNameInPrefixPostfixExpressions() throws Exception {
+        assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance",
+                "import jenkins.model.Jenkins\n" +
+                "class Test { def x = 0 }\n" +
+                "def t = new Test()\n" +
+                "t.({ Jenkins.getInstance(); 'x' }())++\n");
+    }
+
+    @Issue("SECURITY-1538")
+    @Test public void blockSubexpressionsInPrefixPostfixExpressions() throws Exception {
+        assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance",
+                "import jenkins.model.Jenkins\n" +
+                "++({ Jenkins.getInstance(); 1 }())\n");
+        assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance",
+                "import jenkins.model.Jenkins\n" +
+                "({ Jenkins.getInstance(); 1 }())++\n");
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.