https://bugzilla.redhat.com/show_bug.cgi?id=1471060
Bug ID: 1471060 Summary: CVE-2017-1000095 jenkins-plugin-script-security: Unsafe methods in the default whitelist (SECURITY-538) Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: bleanhar@redhat.com, ccoleman@redhat.com, dedgar@redhat.com, dmcphers@redhat.com, java-sig-commits@lists.fedoraproject.org, jgoulding@redhat.com, jkeck@redhat.com, joelsmith@redhat.com, kseifried@redhat.com, mizdebsk@redhat.com, msrb@redhat.com
The default whitelist included the entries:
DefaultGroovyMethods.putAt(Object, String, Object) DefaultGroovyMethods.getAt(Object, String)
These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild.
Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security:
groovy.json.JsonOutput.toJson(Closure) groovy.json.JsonOutput.toJson(Object)
External References:
https://jenkins.io/security/advisory/2017-07-10/