CVE-2017-1000095 (Medium) detected in script-security-1.15.jar #95
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2017-1000095 - Medium Severity Vulnerability
Allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.
Library home page: https://wiki.jenkins-ci.org/display/JENKINS/Script+Security+Plugin
Path to dependency file: influxdb-plugin/pom.xml
Path to vulnerable library: /root/.m2/repository/org/jenkins-ci/plugins/script-security/1.15/script-security-1.15.jar
Dependency Hierarchy:
The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object).
Publish Date: 2017-10-05
URL: CVE-2017-1000095
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://www.jenkins.io/security/advisory/2017-07-10/
Release Date: 2017-10-05
Fix Resolution: org.jenkins-ci.plugins:script-security:1.29.1
The text was updated successfully, but these errors were encountered: