Exposure of Sensitive Information to an Unauthorized Actor Jenkins Script Security Plugin

GHSA-r9jf-hf9x-7hrv · CVE-2017-1000505

Published May 14, 2022 · Modified Feb 20, 2024

Description

In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the new File(String) constructor for the purpose of in-process script approval.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2017-1000505
WEB https://jenkins.io/security/advisory/2017-12-11

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes