Gregory Draper

Name of the Vulnerable Software and Affected Versions: PENUP versions prior to 3.8.00.18 Description: The issue is related to improper access control, allowing arbitrary webpage loading in webview. This could potentially lead to unauthorized access or malicious activities. Recommendations: For versions prior to 3.8.00.18, update to version 3.8.00.18 or later to resolve the issue. As a temporary workaround, consider restricting access to the webview component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Jenkins Script Security Plugin versions 1.36 and earlier **Description** The issue allows users with the ability to configure sandboxed Groovy scripts to create new `File` objects from strings using a type coercion feature in Groovy. This enables reading arbitrary files on the Jenkins master file system. The type coercion is now subject to sandbox protection and is considered a call to the `new File(String)` constructor for in-process script approval. **Recommendations** For Jenkins Script Security Plugin versions 1.36 and earlier, consider updating to a version where the type coercion is properly subject to sandbox protection to prevent the creation of new `File` objects from strings. As a temporary workaround, restrict the ability to configure sandboxed Groovy scripts to trusted users only.