CVE-2017-1000096Incorrect Permission Assignment in Jenkins Pipeline

CWE-732Incorrect Permission AssignmentCWE-184Incomplete List of Disallowed Inputs7 documents7 sources
Severity
8.8HIGHNVD
EPSS
0.2%
top 58.54%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jenkins Pipeline
Timeline
PublishedOct 5
Latest updateMay 13

Description

Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

🔴Vulnerability Details

3
OSV
Arbitrary code execution due to incomplete sandbox protection in Jenkins Pipeline2022-05-13
GHSA
Arbitrary code execution due to incomplete sandbox protection in Jenkins Pipeline2022-05-13
CVEList
CVE-2017-1000096: Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scr2017-10-04

📋Vendor Advisories

2
Red Hat
jenkins-plugin-workflow-cps: Arbitrary code execution due to incomplete sandbox protection (SECURITY-551)2017-07-10
Jenkins
Jenkins Security Advisory 2017-07-102017-07-10

💬Community

1
Bugzilla
CVE-2017-1000096 jenkins-plugin-workflow-cps: Arbitrary code execution due to incomplete sandbox protection (SECURITY-551)2017-07-14
CVE-2017-1000096 — Incorrect Permission Assignment | cvebase