The Total Economic Impact of CloudBees - commissioned study shows cost savings of $30.9 million using CloudBees for CI/CD →

CloudBees Security Advisory 2017-12-11

This advisory announces a vulnerability in the Script Security Jenkins plugin

Arbitrary file read vulnerability in Script Security Plugin

SECURITY-663

Users with the ability to configure sandboxed Groovy and Pipeline scripts, including those from SCM, are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system.

Such a type coercion is now subject to sandbox protection and considered to be a call to the new File(String) constructor for the purpose of in-process script approval.

Severity

All versions of Script Security Plugin up to and including 1.36 are affected.

Fix

  • Script Security Plugin should be updated to version 1.37

These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.

Instructions to get the fixes for the different CloudBees Jenkins Solutions are included below:

  • CloudBees Jenkins Enterprise

    • For users of version 1.11.0 with CAP enabled, Beekeeper will offer the update.

    • Users of versions older than 1.11.0 should upgrade to 1.11.0

    • Users with CAP disabled can get the plugin version including the fix through the Plugin Manager.

  • CloudBees Jenkins Platform (rolling train, CloudBees Jenkins Operations Center and CloudBees Jenkins Enterprise 2.x.y.z)

    • For users of version 2.89.1.6 with CAP enabled, Beekeeper will offer the update.

    • Users of versions older than 2.89.1.6 should upgrade to 2.89.1.6

    • Users with CAP disabled can get the plugin version including the fix through the Plugin Manager.

  • CloudBees Jenkins Platform (fixed train, CloudBees Jenkins Operations Center and CloudBees Jenkins Enterprise 2.46.x.0.y)

    • For users of version 2.46.27.0.1 with CAP enabled, Beekeeper will offer the update.

    • Users of versions older than 2.46.27.0.1 should upgrade to 2.46.27.0.1

    • Users with CAP disabled can get the plugin version including the fix through the Plugin Manager.

  • CloudBees Jenkins Team

    • For users of version 2.89.1.6 with CAP enabled, Beekeeper will offer the update.

    • Users of versions older than 2.89.1.6 should upgrade to 2.89.1.6

    • Users with CAP disabled can get the plugin version including the fix through the Plugin Manager.

  • DEV@cloud is already protected.

More Security Advisories

From code to customer.

Continuously advancing your business.

© 2024 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders.