VYPR
← All advisories
Moderate severityNVD Advisory· Published Sep 12, 2019· Updated Aug 4, 2024

CVE-2019-10400

CVE-2019-10400

Description

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of subexpressions in increment and decrement expressions not involving actual assignment allowed attackers to execute arbitrary code in sandboxed scripts.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A sandbox bypass in Jenkins Script Security Plugin 1.62 and earlier allows attackers to execute arbitrary code via crafted subexpressions in increment/decrement expressions.

Vulnerability

Overview The Jenkins Script Security Plugin provides a sandbox that restricts what Groovy scripts can do, preventing untrusted users from executing arbitrary code. However, version 1.62 and earlier contain a flaw in the handling of subexpressions in increment and decrement expressions that do not involve actual assignment. The sandbox's AST (Abstract Syntax Tree) scanning incorrectly allowed such expressions to bypass the security checks, enabling malicious code to be injected and executed within the sandboxed script environment [1][2].

Exploitation

Vector To exploit this vulnerability, an attacker must have the ability to define or modify Groovy scripts in Jenkins, typically with permissions like Job/Configure. The crafted script uses increment or decrement operators on subexpressions (e.g., (x).y++) where the subexpression does not represent an actual assignment target. The Script Security Plugin's sandbox validation fails to recognize this pattern as a security violation, allowing arbitrary method calls or property accesses that would normally be blocked [3].

Impact

Successful exploitation bypasses the sandbox entirely, granting the attacker the ability to execute arbitrary Groovy code on the Jenkins controller. This could lead to full compromise of the Jenkins instance, including access to credentials, configuration changes, and execution of system commands. The advisory rates this vulnerability as High severity (CVSS 3.0 base score 7.6) due to the potential for complete loss of confidentiality, integrity, and availability [3][4].

Mitigation

The vulnerability is fixed in Script Security Plugin version 1.63, which updates the sandbox to correctly handle these expression patterns. Users are strongly advised to upgrade to this version immediately. No workarounds are documented; the only effective mitigation is to apply the plugin update [3][4].

References
  1. GitHub - jenkinsci/script-security-plugin: Allows Jenkins admins to control what in-process scripts can be run by users
  2. NVD - CVE-2019-10400
  3. Jenkins Security Advisory 2019-09-12
  4. security - Multiple vulnerabilities in Jenkins plugins

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:script-securityMaven
< 1.631.63

Affected products

2

Patches

1
b28e4dc5584e

[SECURITY-1538] Problems with method and property names and increment/decrement operators

https://github.com/jenkinsci/script-security-pluginDevin NusbaumSep 10, 2019via ghsa
commit
2 files changed · +36 1
  • pom.xml+1 1 modified
    @@ -50,7 +50,7 @@
     <dependency>
       <groupId>org.kohsuke</groupId>
       <artifactId>groovy-sandbox</artifactId>
-      <version>1.22</version>
+      <version>1.23</version>
       <exclusions>
         <exclusion>
           <groupId>org.codehaus.groovy</groupId>
  • src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java+35 0 modified
    @@ -1226,4 +1226,39 @@ public void scriptInitializersClassSyntax() throws Exception {
                 "  def run() { MyScript.foo }\n" +
                 "}\n");
     }
+
+    @Issue("SECURITY-1538")
+    @Test public void blockMethodNameInMethodCalls() throws Exception {
+        assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance",
+                "import jenkins.model.Jenkins\n" +
+                "1.({ Jenkins.getInstance(); 'toString' }())()");
+    }
+
+    @Issue("SECURITY-1538")
+    @Test public void blockPropertyNameInAssignment() throws Exception {
+        assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance",
+                "import jenkins.model.Jenkins\n" +
+                "class Test { def x = 0 }\n" +
+                "def t = new Test()\n" +
+                "t.({ Jenkins.getInstance(); 'x' }()) = 1\n");
+    }
+
+    @Issue("SECURITY-1538")
+    @Test public void blockPropertyNameInPrefixPostfixExpressions() throws Exception {
+        assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance",
+                "import jenkins.model.Jenkins\n" +
+                "class Test { def x = 0 }\n" +
+                "def t = new Test()\n" +
+                "t.({ Jenkins.getInstance(); 'x' }())++\n");
+    }
+
+    @Issue("SECURITY-1538")
+    @Test public void blockSubexpressionsInPrefixPostfixExpressions() throws Exception {
+        assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance",
+                "import jenkins.model.Jenkins\n" +
+                "++({ Jenkins.getInstance(); 1 }())\n");
+        assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance",
+                "import jenkins.model.Jenkins\n" +
+                "({ Jenkins.getInstance(); 1 }())++\n");
+    }
 }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.