Description
Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.
References (2)
Core 2
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/99571
Vendor Advisory x_refsource_confirm
https://jenkins.io/security/advisory/2017-07-10/
Scores
CVSS v3
8.8
EPSS
0.0019
EPSS Percentile
41.1%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-732
Status
published
Products (2)
jenkins/pipeline\
< 2.36
org.jenkins-ci.plugins.workflow/workflow-cps
0 - 2.36.1Maven
Published
Oct 05, 2017
Tracked Since
Feb 18, 2026