CVE-2019-1003000 Unknown Vendor CVE debrief

Who should care

Jenkins administrators, platform owners, and security teams running Script Security Plugin 1.49 or earlier, especially in installations where users, jobs, or integrations can submit sandboxed scripts.

Technical summary

The vulnerability is identified in src/main/java/org/jenkinsci/plugins/scriptsecurity/sandbox/groovy/GroovySandbox.java in Script Security Plugin 1.49 and earlier. The issue is a sandbox bypass: attackers with the ability to provide sandboxed scripts may be able to execute arbitrary code on the Jenkins master JVM instead of remaining confined to the sandbox.

Defensive priority

High. Treat as urgent in any Jenkins environment that accepts user-supplied or integration-supplied sandboxed scripts, because successful exploitation can result in arbitrary code execution on the Jenkins master JVM. The supplied EPSS signal is very high (0.94443; 99.992 percentile), which further increases priority for exposure review and remediation.

Recommended defensive actions

• Upgrade Jenkins Script Security Plugin to a version that remediates this sandbox bypass.
• Review where sandboxed scripts are accepted and restrict script submission to trusted users and workflows.
• Treat the Jenkins master/controller as highly sensitive and limit network and administrative access to it.
• Audit Jenkins jobs, shared libraries, and integrations that rely on Groovy sandbox execution.
• Monitor for unexpected script execution, configuration changes, or other signs of controller compromise.

Evidence notes

The supplied CVE description states that Script Security Plugin 1.49 and earlier contains a sandbox bypass in GroovySandbox.java that allows attackers with the ability to provide sandboxed scripts to execute arbitrary code on the Jenkins master JVM. The supplied FIRST EPSS snapshot for 2026-05-15 reports an EPSS score of 0.94443 and percentile 0.99992 for CVE-2019-1003000. No CVSS score was supplied in the corpus.

Official resources