615 matches found
CVE-2017-2650
It was found that the use of Pipeline: Classpath Step Jenkins plugin enables a bypass of the Script Security sandbox for users with SCM commit access, as well as users with e.g. Job/Configure permission in Jenkins...
CVE-2017-2650
The CVE-2017-2650 entry concerns the Jenkins Pipeline: Classpath Step plugin, where the Script Security sandbox can be bypassed. The issue affects Jenkins environments using this plugin, enabling users with SCM commit access or with permissions such as Job/Configure to bypass sandbox restrictions...
CVE-2017-1000505
In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type...
Jenkins Script Security Plugin Arbitrary File Read Vulnerability
CloudBees Jenkins CI formerly known as Hudson Labs is the United States CloudBees company's set of Java-based development of continuous integration tools , it is mainly used to monitor the continuous software release/testing projects and some of the timed execution of the task . Script Security...
Type confusion
In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type...
CVE-2017-1000505
In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type...
CVE-2017-1000505
In Jenkins Script Security Plugin versions 1.36 and earlier, users who can configure sandboxed Groovy scripts could abuse a Groovy type coercion to create new File objects from strings, enabling reading arbitrary files on the Jenkins master filesystem. The entry notes this type coercion is now tr...
CVE-2017-1000505
In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type...
CloudBees Jenkins Script Security plugin security bypass vulnerability
CloudBees Jenkins formerly known as Hudson Labs is the United States CloudBees company's set of Java-based development of continuous integration tools , the tool is mainly used to monitor the order of repetitive work . Script Security is one of the plug-ins used to detect the script security . A...
CVE-2017-1000107
Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection...
CVE-2017-1000095
The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAtObject, String, Object; DefaultGroovyMethods.getAtObject, String. These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild'rawBuild' rather than...
Type confusion
Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection...
CVE-2017-1000107
CVE-2017-1000107 affects the Jenkins Script Security Plugin. The root cause is that sandboxing restrictions were not applied to constructor invocations via positional argument lists, super constructors, method references, or type coercion expressions, allowing potential bypass of sandbox protecti...
CVE-2017-1000107
Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, super constructor invocations, method references, and type coercion expressions. This could be used to invoke arbitrary constructors and methods, bypassing sandbox protection...
CloudBees Jenkins Script Security plugin security bypass vulnerability
CloudBees Jenkins CI formerly known as Hudson Labs is the United States CloudBees company's set of Java-based development of continuous integration tools , it is mainly used to monitor the continuous software release/testing projects and some of the timed execution of the task . Script Security...
jenkins-plugin-script-security: Unsafe methods in the default whitelist (SECURITY-538)
The jenkins-plugin-script-security improperly whitelisted "DefaultGroovyMethods.putAtObject, String, Object" and "DefaultGroovyMethods.getAtObject, String" which allows attackers to bypass many restrictions and potentially trigger builds or access data they should not have access to. Exploitation...
CVE-2017-1000095
The jenkins-plugin-script-security improperly whitelisted "DefaultGroovyMethods.putAtObject, String, Object" and "DefaultGroovyMethods.getAtObject, String" which allows attackers to bypass many restrictions and potentially trigger builds or access data they should not have access to. Exploitation...
Audiojungle Clone Script - SQL Injection
Audiojungle Clone Script - SQL Injection Exploit Title: Audiojungle Clone Script - SQL Injection Google Dork: N/A Date: 08.03.2017 Vendor Homepage: http://bsetec.com/ Software : http://audiojungleclone.bsetec.com/ Demo: http://www.bsetecdemo.com/audiojungleclone Version: N/A Tested on: Win7 x64,...
CVE-2016-3102
The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs 1 direct field access or 2 get/set array operations...
CVE-2016-3102
The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs 1 direct field access or 2 get/set array operations...