CVE-2017-1000107 — Incomplete List of Disallowed Inputs in Jenkins Script Security

CWE-184 — Incomplete List of Disallowed Inputs8 documents7 sources

Severity

8.8HIGHNVD

EPSS

0.3%

top 49.11%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Script Security

Timeline

PublishedOct 5

Latest updateMay 13

Description

Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages1 packages

▶NVDjenkins/script_security1.30

🔴Vulnerability Details

OSV

Sandbox bypass in Jenkins Script Security Plugin sandbox bypass↗2022-05-13

▶

GHSA

Sandbox bypass in Jenkins Script Security Plugin sandbox bypass↗2022-05-13

▶

CVEList

CVE-2017-1000107: Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations,↗2017-10-04

▶

📋Vendor Advisories

Red Hat

jenkins-plugin-workflow-cps: Multiple Groovy language features allowed Script Security Plugin sandbox bypass↗2017-08-07

▶

Jenkins

Jenkins Security Advisory 2017-08-07↗2017-08-07

▶

💬Community

Bugzilla

CVE-2017-1000107 jenkins-plugin-workflow-cps: Multiple Groovy language features allowed Script Security Plugin sandbox bypass↗2017-08-16

▶

Bugzilla

CVE-2017-1000107 jenkins-script-security-plugin: jenkins-plugin-script-security, jenkins-plugin-workflow-cps: Multiple Groovy language features allowed Script Security Plugin sandbox bypass [fedora-al↗2017-08-16

▶