{
  "threat_severity" : "Important",
  "public_date" : "2019-03-06T00:00:00Z",
  "bugzilla" : {
    "description" : "jenkins-plugin-workflow-cps: Sandbox bypass in Pipeline: Groovy Plugin (SECURITY-1336(2))",
    "id" : "1690665",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1690665"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-20",
  "details" : [ "A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.", "A flaw was found in the Jenkins Workflow CPS plugin. Parsing, compilation, and script instantiations provided by a crafted Groovy script could escape the sandbox allowing users to execute arbitrary code on the Jenkins master. The highest risk from this vulnerability is to data confidentiality and integrity as well as system availability." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2019-04-10T00:00:00Z",
    "advisory" : "RHSA-2019:0739",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "jenkins-2-plugins-0:3.11.1552336312-1.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.10",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:3.10"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.4",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins-plugin-workflow-cps",
    "cpe" : "cpe:/a:redhat:openshift:3.4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.5",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins-plugin-workflow-cps",
    "cpe" : "cpe:/a:redhat:openshift:3.5"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.6",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:3.6"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.7",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:3.7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.9",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:3.9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-1003030\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-1003030\nhttps://jenkins.io/security/advisory/2019-03-06/#SECURITY-1336%20(2)\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog" ],
  "name" : "CVE-2019-1003030",
  "csaw" : false
}