Bug 1471060 (CVE-2017-1000095)
Summary: | CVE-2017-1000095 jenkins-plugin-script-security: Unsafe methods in the default whitelist (SECURITY-538) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | ahardin, bleanhar, ccoleman, dedgar, dmcphers, eparis, java-sig-commits, jgoulding, jkeck, joelsmith, jokerman, kseifried, mchappel, mizdebsk, msrb, tjay |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | jenkins-plugin-script-security 1.29.1 | Doc Type: | If docs needed, set a value |
Doc Text: |
The jenkins-plugin-script-security improperly whitelisted "DefaultGroovyMethods.putAt(Object, String, Object)" and "DefaultGroovyMethods.getAt(Object, String)" which allows attackers to bypass many restrictions and potentially trigger builds or access data they should not have access to. Exploitation of this requires the attacker to have access to the Jenkins instance, and for that Jenkins instance to be hosting other projects as well that the attacker should not have access to.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2017-08-14 16:43:05 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1471061, 1472032 | ||
Bug Blocks: | 1471067 |
Description
Adam Mariš
2017-07-14 10:31:13 UTC
Acknowledgments: Name: the Jenkins project Created jenkins-script-security-plugin tracking bugs for this issue: Affects: fedora-all [bug 1471061] Statement: This issue affects the versions of jenkins-plugin-script-security as shipped with OpenShift Enterprise 3. However, this flaw is of low impact under the supported scenarios in OpenShift Enterprise 3. A future update may address this issue. |