CVE-2017-1000505
MEDIUM6.5EPSS 0.32%Exposure of Sensitive Information to an Unauthorized Actor Jenkins Script Security Plugin
發布日:2022/5/14修改日:2024/2/20
描述
In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new `File` objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the `new File(String)` constructor for the purpose of in-process script approval.
受影響套件(1)
- Maven/org.jenkins-ci.plugins:script-securityfrom 0, < 1.37
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.5 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |