CVE-2017-1000505

Name of the Vulnerable Software and Affected Versions Jenkins Script Security Plugin versions 1.36 and earlier

Description The issue allows users with the ability to configure sandboxed Groovy scripts to create new File objects from strings using a type coercion feature in Groovy. This enables reading arbitrary files on the Jenkins master file system. The type coercion is now subject to sandbox protection and is considered a call to the new File(String) constructor for in-process script approval.

Recommendations For Jenkins Script Security Plugin versions 1.36 and earlier, consider updating to a version where the type coercion is properly subject to sandbox protection to prevent the creation of new File objects from strings. As a temporary workaround, restrict the ability to configure sandboxed Groovy scripts to trusted users only.