The following flaw was found in Jenkins: The Script Security plugin provides a Groovy sandbox implementation to other plugins that only allows whitelisted commands to be executed. This sandbox did not cover direct field access (foo.@bar) or get/set array operations (foo[bar]). External References: https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-04-11
Created jenkins tracking bugs for this issue: Affects: fedora-all [bug 1326408]
These are in Jenkins plugins that do not ship with OpenShift Enterprise.
jenkins-1.651.1-1.fc24, jenkins-credentials-plugin-1.27-1.fc24, jenkins-junit-plugin-1.12-1.fc24, jenkins-mailer-plugin-1.17-1.fc24, jenkins-remoting-2.57-1.fc24, jenkins-script-security-plugin-1.18.1-1.fc24, owasp-java-html-sanitizer-20160422.1-1.fc24, stapler-1.242-1.fc24, tiger-types-2.2-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.