CloudBees Security Advisory 2017-12-11

This advisory announces a vulnerability in the Script Security Jenkins plugin

Arbitrary file read vulnerability in Script Security Plugin

SECURITY-663

Users with the ability to configure sandboxed Groovy and Pipeline scripts, including those from SCM, are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system.

Such a type coercion is now subject to sandbox protection and considered to be a call to the new File(String) constructor for the purpose of in-process script approval.

Severity: 

All versions of Script Security Plugin up to and including 1.36 are affected.

Fix: 
  • Script Security Plugin should be updated to version 1.37

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Instructions to get the fixes for the different CloudBees Jenkins Solutions are included below:

  • CloudBees Jenkins Enterprise
    • For users of version 1.11.0 with CAP enabled, Beekeeper will offer the update.
    • Users of versions older than 1.11.0 should upgrade to 1.11.0
    • Users with CAP disabled can get the plugin version including the fix through the Plugin Manager.
  • CloudBees Jenkins Platform (rolling train, CloudBees Jenkins Operations Center and CloudBees Jenkins Enterprise 2.x.y.z)
    • For users of version 2.89.1.6 with CAP enabled, Beekeeper will offer the update.
    • Users of versions older than 2.89.1.6 should upgrade to 2.89.1.6
    • Users with CAP disabled can get the plugin version including the fix through the Plugin Manager.
  • CloudBees Jenkins Platform (fixed train, CloudBees Jenkins Operations Center and CloudBees Jenkins Enterprise 2.46.x.0.y)
    • For users of version 2.46.27.0.1 with CAP enabled, Beekeeper will offer the update.
    • Users of versions older than 2.46.27.0.1 should upgrade to 2.46.27.0.1
    • Users with CAP disabled can get the plugin version including the fix through the Plugin Manager.
  • CloudBees Jenkins Team
    • For users of version 2.89.1.6 with CAP enabled, Beekeeper will offer the update.
    • Users of versions older than 2.89.1.6 should upgrade to 2.89.1.6
    • Users with CAP disabled can get the plugin version including the fix through the Plugin Manager.
  • DEV@cloud is already protected.