CVE-2019-10394 — Sandbox bypass vulnerability in Jenkins Script Security Plugin

Description

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.62 and earlier related to the handling of property names in property expressions on the left-hand side of assignment expressions allowed attackers to execute arbitrary code in sandboxed scripts.

How to fix CVE-2019-10394

To remediate CVE-2019-10394, upgrade the affected package to a fixed version below.

—upgrade to 1.63 or later

Is CVE-2019-10394 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.63

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.2	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10394
PATCHgithub.com/jenkinsci/script-security-plugin
WEBgithub.com/jenkinsci/script-security-plugin/commit/b28e4dc5584ef6515aeb9bc834691176546d0689
WEBjenkins.io/security/advisory/2019-09-12/#SECURITY-1538