Template / PR Information

Wrote template for CVE-2019-1003000 - Jenkins Script Security Plugin Sandbox Bypass.

Optional parameters: username and password

If credentials are not provided - try Pre-Auth (if the target is also vulnerable to CVE-2018-1999001), then username is admin.

Try exploiting using 2 gadgets (with reliable first):

• scriptsecurity.sandbox.groovy.SecureGroovyScript (reliable)
• workflow.cps.CpsFlowDefinition (less reliable)

RCE confirmed via interactsh dns callback for the first gadget, and http callback for the second gadget.

References:

• https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/jenkins_metaprogramming.rb
• https://github.com/orangetw/awesome-jenkins-rce-2019

Template Validation

I’ve validated this template locally?

• YES
• NO

Using https://github.com/1NTheKut/CVE-2019-1003000_RCE-DETECTION run:

cd jenkins_environment
./run_vuln_jenkins.sh

This spins up vulnerable Jenkins instance on localhost:8080 with credentials username=Naruto, password=Uzumaki.

With credentials:

Without credentials (Pre-Auth if the target is also vulnerable to CVE-2018-1999001):

Additional Details (leave it blank if not applicable)

/claim #10892

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server