Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1yOWpmLWhmOXgtN2hyds4AAXbU
Exposure of Sensitive Information to an Unauthorized Actor Jenkins Script Security Plugin
In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the new File(String) constructor for the purpose of in-process script approval.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1yOWpmLWhmOXgtN2hyds4AAXbU
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: about 1 year ago
CVSS Score: 6.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-r9jf-hf9x-7hrv, CVE-2017-1000505
References:
- https://nvd.nist.gov/vuln/detail/CVE-2017-1000505
- https://jenkins.io/security/advisory/2017-12-11/
- https://github.com/advisories/GHSA-r9jf-hf9x-7hrv
Affected Packages
maven:org.jenkins-ci.plugins:script-security
Affected Version Ranges: <= 1.36Fixed in: 1.37