CVE-2017-1000095

The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object).

References

https://jenkins.io/security/advisory/2017-07-10/

Affected packages

Git / github.com/jenkinsci/script-security-plugin

Affected ranges

Type: GIT
Repo: https://github.com/jenkinsci/script-security-plugin
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

aedd89f0ead8c3eddeccb4bc7d891c3759154c37

Affected versions

script-security-1.*

script-security-1.0

script-security-1.0-beta-1

script-security-1.0-beta-2

script-security-1.0-beta-3

script-security-1.0-beta-4

script-security-1.0-beta-5

script-security-1.0-beta-6

script-security-1.1

script-security-1.10

script-security-1.11

script-security-1.12

script-security-1.13

script-security-1.14

script-security-1.15

script-security-1.16

script-security-1.17

script-security-1.18

script-security-1.19

script-security-1.2

script-security-1.20

script-security-1.21

script-security-1.22

script-security-1.23

script-security-1.24

script-security-1.25

script-security-1.26

script-security-1.27

script-security-1.28

script-security-1.29

script-security-1.3

script-security-1.30

script-security-1.31

script-security-1.32

script-security-1.33

script-security-1.34

script-security-1.4

script-security-1.5

script-security-1.6

script-security-1.7

script-security-1.8

script-security-1.9