CVE-2017-1000095

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2017-1000095

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-1000095.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2017-1000095

Aliases

GHSA-m68x-cc2f-gr5h

Downstream

RHEA-2017:1716

Published

2017-10-05T01:29:03.883Z

Modified

2026-04-11T16:23:27.094038Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object).

References

https://jenkins.io/security/advisory/2017-07-10/

Affected packages

Git / github.com/jenkinsci/script-security-plugin

Affected ranges

Type

GIT

Repo

https://github.com/jenkinsci/script-security-plugin

Events

Introduced

Last affected

aedd89f0ead8c3eddeccb4bc7d891c3759154c37

Database specific

{
    "cpe": "cpe:2.3:a:jenkins:script_security:1.34:*:*:*:*:jenkins:*:*",
    "source": "CPE_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.34"
        }
    ]
}

Affected versions

script-security-1.*

script-security-1.0

script-security-1.0-beta-1

script-security-1.0-beta-2

script-security-1.0-beta-3

script-security-1.0-beta-4

script-security-1.0-beta-5

script-security-1.0-beta-6

script-security-1.1

script-security-1.10

script-security-1.11

script-security-1.12

script-security-1.13

script-security-1.14

script-security-1.15

script-security-1.16

script-security-1.17

script-security-1.18

script-security-1.19

script-security-1.2

script-security-1.20

script-security-1.21

script-security-1.22

script-security-1.23

script-security-1.24

script-security-1.25

script-security-1.26

script-security-1.27

script-security-1.28

script-security-1.29

script-security-1.3

script-security-1.30

script-security-1.31

script-security-1.32

script-security-1.33

script-security-1.34

script-security-1.4

script-security-1.5

script-security-1.6

script-security-1.7

script-security-1.8

script-security-1.9

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2017-1000095.json"