CVE-2017-1000096: Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were…

high8.8CVSS 3.0

AVNACLPRLUINSUCHIHAH

Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.

Affected

18 ranges

Vendor	Product	Version range	Fixed in
jenkins	build_step_plugin	—	—
jenkins	credentials_plugin	—	—
jenkins	docker_commons_plugin	—	—
jenkins	git_plugin	—	—
jenkins	github_branch_source_plugin	—	—
jenkins	groovy_plugin	—	—
jenkins	ids_in_docker_commons_plugin	—	—
jenkins	ids_in_github_branch_source_plugin	—	—
jenkins	parameterized_trigger_plugin	—	—
jenkins	periodic_backup_plugin	—	—
jenkins	pipeline	<= 2.36	—
jenkins	plugins_like_authorize_project_plugin	—	—
jenkins	poll_scm_plugin	—	—
jenkins	role-based_authorization_strategy_plugin	—	—
jenkins	script_security_plugin	—	—
jenkins	sidebar_link_plugin	—	—
jenkins	ssh_plugin	—	—
jenkins	subversion_plugin	—	—