logo

Database

Improper authorization control for web services In org.jenkins-ci.plugins.workflow:workflow-cps

Description

Arbitrary code execution due to incomplete sandbox protection in Jenkins Pipeline Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2017-10000962. NVD-2017-10000963. OSV-2017-10000964. GCVE-2017-1000096

References

1. https://jenkins.io/security/advisory/2017-07-102. http://www.securityfocus.com/bid/99571

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.