CVE-2019-16538
Description
A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.67 and earlier related to the handling of default parameter expressions in closures allowed attackers to execute arbitrary code in sandboxed scripts.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Script Security Plugin 1.67 and earlier allowed sandbox bypass via closure default parameter expressions, enabling arbitrary code execution.
Vulnerability
Overview
The Jenkins Script Security Plugin, designed to sandbox Groovy scripts, contained a bypass vulnerability in versions 1.67 and earlier. The flaw resided in how the plugin handled default parameter expressions within closures; these expressions were not subject to the same sandbox restrictions as other script elements [1][2]. By crafting a closure with a malicious default parameter, an attacker could circumvent the security sandbox entirely.
Exploitation
Prerequisites
Exploitation requires an attacker to have the ability to specify and run sandboxed scripts within Jenkins. This typically means having at least Overall/Read permission, or being able to submit scripts via a Jenkins job or plugin that executes sandboxed Groovy code [1]. Successful exploitation does not require any special network position beyond access to the Jenkins web interface or API.
Impact
Assessment
An attacker exploiting this vulnerability can execute arbitrary code in the context of the Jenkins controller JVM [1]. This could lead to full compromise of the Jenkins server, including access to secrets, credentials, configuration files, and the ability to launch further attacks within the infrastructure.
Mitigation
Status
The issue was addressed in Script Security Plugin version 1.68, released on 2019-11-21 [1][3]. Users are strongly advised to upgrade immediately. No workarounds are documented; the vulnerability is closed by ensuring that default parameter expressions in closures are also subject to sandbox protection [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:script-securityMaven | < 1.68 | 1.68 |
Affected products
2- Jenkins project/Jenkins Script Security Pluginv5Range: 1.67 and earlier
Patches
10e7da14171ed[SECURITY-1658] Transform initial expressions for parameters in closure expressions
2 files changed · +8 −1
pom.xml+1 −1 modified@@ -63,7 +63,7 @@ <dependency> <groupId>org.kohsuke</groupId> <artifactId>groovy-sandbox</artifactId> - <version>1.24</version> + <version>1.25</version> <exclusions> <exclusion> <groupId>org.codehaus.groovy</groupId>
src/test/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/SandboxInterceptorTest.java+7 −0 modified@@ -1274,4 +1274,11 @@ public void scriptInitializersClassSyntax() throws Exception { "}\n" + "new A()\n"); } + + @Issue("SECURITY-1658") + @Test public void blockInitialExpressionsInClosures() throws Exception { + assertRejected(new GenericWhitelist(), "staticMethod jenkins.model.Jenkins getInstance", + "import jenkins.model.Jenkins\n" + + "({ j = Jenkins.getInstance() -> true })()\n"); + } }
Vulnerability mechanics
Synthesis attempt was rejected by the grounding validator. Re-run pending.
References
5- github.com/advisories/GHSA-62pm-mgrh-7p69ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-16538ghsaADVISORY
- www.openwall.com/lists/oss-security/2019/11/21/1ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/script-security-plugin/commit/0e7da14171ed1d03ff72f6910392e630b40a8590ghsaWEB
- jenkins.io/security/advisory/2019-11-21/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.