logo

Database

Unauthorized access to screen In org.jenkins-ci.plugins:script-security

Description

Exposure of Sensitive Information to an Unauthorized Actor Jenkins Script Security Plugin In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the new File(String) constructor for the purpose of in-process script approval.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2017-10005052. NVD-2017-10005053. OSV-2017-10005054. GCVE-2017-1000505

References

1. https://jenkins.io/security/advisory/2017-12-11

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.