CRITICAL🚩 CISA KEV⚡ EXPLOIT✓ PATCH🇵🇱 Wersja polska

CVE-2019-1003030

CVSS 9.9v3.1pub. 2019-03-08upd. 2025-10-24

A sandbox bypass vulnerability exists in Jenkins Pipeline: Groovy Plugin 2.63 and earlier in pom.xml, src/main/java/org/jenkinsci/plugins/workflow/cps/CpsGroovyShell.java that allows attackers able to control pipeline scripts to execute arbitrary code on the Jenkins master JVM.

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Jenkins Pipeline\

    APP
    Jenkins
    _groovy
  • Red Hat OpenShift Container Platform

    APP
    Redhat
    3.11

CISA KEV — detailsi

Vendori
Jenkins
Producti
Matrix Project Plugin
Added to KEVi
March 25, 2022
Remediation deadline (US Federal)i
April 15, 2022(overdue)
Required action (CISA)i

Apply updates per vendor instructions.

CISA descriptioni

Jenkins Matrix Project plugin contains a vulnerability which can allow users to escape the sandbox, opening opportunity to perform remote code execution.

🔴
IMMEDIATE ACTION
Actively exploited in the wild (CISA KEV). Patch immediately.
CISA DEADLINE: 15 kwietnia 2022
Tags
RCECI/CD
CWE
References

Related vulnerabilities

CVE-2019-7609CRITICAL10.0⚠ KEVten sam produkt

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. A...

CVE-2019-1003029CRITICAL9.9⚠ KEVten sam produkt

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/...

CVE-2018-1000861CRITICAL9.8⚠ KEVten sam produkt

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.13...

CVE-2026-4408CRITICAL9.0PL ✓ten sam produkt

Samba: RCE przez command injection w 'check password script' z podstawieniem %u

CVE-2026-4480CRITICAL9.0PL ✓ten sam produkt

Samba: command injection w podsystemie drukowania przez podstawienie %J