GHSA-r9jf-hf9x-7hrv

Source

https://github.com/advisories/GHSA-r9jf-hf9x-7hrv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-r9jf-hf9x-7hrv/GHSA-r9jf-hf9x-7hrv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-r9jf-hf9x-7hrv

Aliases

CVE-2017-1000505

Published

2022-05-14T03:45:23Z

Modified

2024-02-20T05:16:36.542050Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Exposure of Sensitive Information to an Unauthorized Actor Jenkins Script Security Plugin

Details

In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the new File(String) constructor for the purpose of in-process script approval.

Database specific

{
    "nvd_published_at": "2018-01-25T18:29:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-01T21:43:41Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:script-security

Package

Name: org.jenkins-ci.plugins:script-security; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/script-security

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.37

Affected versions

1.*

1.0-beta-1

1.0-beta-2

1.0-beta-3

1.0-beta-4

1.0-beta-5

1.0-beta-6

1.0

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

1.10

1.11

1.12

1.13

1.14

1.15

1.16

1.17

1.18

1.18.1

1.19

1.20

1.21

1.22

1.23

1.24

1.25

1.26

1.27

1.28

1.29

1.29.1

1.30

1.31

1.33

1.34

1.35

1.36

Database specific

{
    "last_known_affected_version_range": "<= 1.36"
}