{
  "threat_severity" : "Important",
  "public_date" : "2019-03-25T00:00:00Z",
  "bugzilla" : {
    "description" : "jenkins-plugin-script-security: Sandbox bypass in Script Security Plugin and Pipeline: Groovy Plugin (SECURITY-1353)",
    "id" : "1694532",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1694532"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.8",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-704",
  "details" : [ "A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary constructors in sandboxed scripts.", "A flaw was found in the Jenkins Script Security plugin. Groovy Plugins could be circumvented through methods supporting type casts and type coercion allowing attackers to invoke constructors for arbitrary types. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ],
  "affected_release" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "release_date" : "2019-06-10T00:00:00Z",
    "advisory" : "RHSA-2019:1423",
    "cpe" : "cpe:/a:redhat:openshift:3.11::el7",
    "package" : "jenkins-2-plugins-0:3.11.1553788831-1.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.10",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins-plugin-script-security",
    "cpe" : "cpe:/a:redhat:openshift:3.10"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.4",
    "fix_state" : "Out of support scope",
    "package_name" : "jenkins-plugin-script-security",
    "cpe" : "cpe:/a:redhat:openshift:3.4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.5",
    "fix_state" : "Out of support scope",
    "package_name" : "jenkins-plugin-script-security",
    "cpe" : "cpe:/a:redhat:openshift:3.5"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.6",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins-plugin-script-security",
    "cpe" : "cpe:/a:redhat:openshift:3.6"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.7",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins-plugin-script-security",
    "cpe" : "cpe:/a:redhat:openshift:3.7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.9",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins-plugin-script-security",
    "cpe" : "cpe:/a:redhat:openshift:3.9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:4"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-1003040\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-1003040\nhttps://jenkins.io/security/advisory/2019-03-25/#SECURITY-1353" ],
  "name" : "CVE-2019-1003040",
  "csaw" : false
}