Jenkins Security Advisory 2017-12-11

This advisory announces a vulnerability in this Jenkins plugin:

Description

Arbitrary file read vulnerability in Script Security Plugin

SECURITY-663 / CVE-2017-1000505

Users with the ability to configure sandboxed Groovy and Pipeline scripts, including those from SCM, are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system.

Such a type coercion is now subject to sandbox protection and considered to be a call to the new File(String) constructor for the purpose of in-process script approval.

Severity

Affected versions

  • Script Security Plugin up to and including 1.36

Fix

  • Script Security Plugin should be updated to version 1.37

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Credit

The Jenkins project would like to thank the reporter for discovering and reporting this vulnerability:

  • Gregory Draperi for SECURITY-663