CVE-2018-1000865
- EPSS 1.64%
- Veröffentlicht 10.12.2018 14:29:01
- Zuletzt bearbeitet 21.11.2024 03:40:31
A sandbox bypass vulnerability exists in Script Security Plugin 1.47 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox/SandboxTransformer.java that allows attackers with Job/Configure permission to execute arbitrary code on the J...
CVE-2017-1000505
- EPSS 0.99%
- Veröffentlicht 25.01.2018 18:29:00
- Zuletzt bearbeitet 21.11.2024 03:04:53
In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new `File` objects from strings. This allowed reading arbitrary files...
CVE-2017-1000107
- EPSS 1.2%
- Veröffentlicht 05.10.2017 01:29:04
- Zuletzt bearbeitet 13.05.2026 00:24:29
Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructor...
CVE-2017-1000095
- EPSS 0.82%
- Veröffentlicht 05.10.2017 01:29:03
- Zuletzt bearbeitet 13.05.2026 00:24:29
The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox...
CVE-2016-3102
- EPSS 1.76%
- Veröffentlicht 09.02.2017 15:59:01
- Zuletzt bearbeitet 13.05.2026 00:24:29
The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.