CVE-2019-10431
Description
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default parameter expressions in constructors allowed attackers to execute arbitrary code in sandboxed scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Script Security Plugin 1.64 and earlier allows sandbox bypass via default parameter expressions in constructors, enabling arbitrary code execution.
Vulnerability
A sandbox bypass vulnerability exists in the Jenkins Script Security Plugin versions 1.64 and earlier. The issue arises from improper handling of default parameter expressions in constructors, which allowed scripts running in the sandbox to bypass security restrictions [3][4].
Exploitation
An attacker with the ability to specify and run sandboxed scripts (e.g., users with Job/Configure permission) can exploit this flaw. By crafting script code that leverages default parameter expressions, they can execute arbitrary code, circumventing the Groovy sandbox protections intended to limit script actions [2][4].
Impact
Successful exploitation gives the attacker full control over the Jenkins controller JVM. This includes the ability to read secrets, modify configuration, or execute arbitrary commands on the Jenkins server, potentially compromising the entire CI/CD pipeline [3][4].
Mitigation
The vulnerability is fixed in Script Security Plugin version 1.75 and later [1]. Users are strongly advised to update immediately. As a workaround, restrict the permissions of users who can run sandboxed scripts to trusted administrators only [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:script-securityMaven | < 1.65 | 1.65 |
Affected products
2- Jenkins project/Jenkins Script Security Pluginv5Range: 1.64 and earlier
Patches
1415b6e2f3fa0[SECURITY-1579] Transform initial expressions for parameters in constructors that call super
2 files changed · +14 −1
pom.xml+1 −1 modified@@ -51,7 +51,7 @@ <dependency> <groupId>org.kohsuke</groupId> <artifactId>groovy-sandbox</artifactId> - <version>1.23</version> + <version>1.24</version> <exclusions> <exclusion> <groupId>org.codehaus.groovy</groupId>
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java+13 −0 modified@@ -1261,4 +1261,17 @@ public void scriptInitializersClassSyntax() throws Exception { "import jenkins.model.Jenkins\n" + "({ Jenkins.getInstance(); 1 }())++\n"); } + + @Issue("SECURITY-1579") + @Test public void blockInitialExpressionsInConstructorsCallingSuper() throws Exception { + assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance", + "import jenkins.model.Jenkins\n" + + "class B {}\n" + + "class A extends B {\n" + + " A(x = Jenkins.getInstance()) {\n" + + " super()\n" + + " }\n" + + "}\n" + + "new A()\n"); + } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- access.redhat.com/errata/RHSA-2019:4055ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4089ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2019:4097ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-72gx-qq2m-6xr2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-10431ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/10/01/2ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/script-security-plugin/blob/7bd58b8635709cecdb50018844e5d6dbe1ce13ea/CHANGELOG.mdghsaWEB
- github.com/jenkinsci/script-security-plugin/commit/415b6e2f3fa0c2e4bd2f9c4a589a9e1fc9cbac8bghsaWEB
- jenkins.io/security/advisory/2019-10-01/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.