ID CVE-2016-3102
Summary The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.
References
Vulnerable Configurations
  • Jenkins Script Security 1.18 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.18:-:-:-:-:jenkins
  • Jenkins Script Security 1.17 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.17:-:-:-:-:jenkins
  • Jenkins Script Security 1.16 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.16:-:-:-:-:jenkins
  • Jenkins Script Security 1.15 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.15:-:-:-:-:jenkins
  • Jenkins Script Security 1.14 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.14:-:-:-:-:jenkins
  • Jenkins Script Security 1.13 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.13:-:-:-:-:jenkins
  • Jenkins Script Security 1.12 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.12:-:-:-:-:jenkins
  • Jenkins Script Security 1.11 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.11:-:-:-:-:jenkins
  • Jenkins Script Security 1.10 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.10:-:-:-:-:jenkins
  • Jenkins Script Security 1.9 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.9:-:-:-:-:jenkins
  • Jenkins Script Security 1.8 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.8:-:-:-:-:jenkins
  • Jenkins Script Security 1.7 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.7:-:-:-:-:jenkins
  • Jenkins Script Security 1.6 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.6:-:-:-:-:jenkins
  • Jenkins Script Security 1.5 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.5:-:-:-:-:jenkins
  • Jenkins Script Security 1.4 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.4:-:-:-:-:jenkins
  • Jenkins Script Security 1.3 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.3:-:-:-:-:jenkins
  • Jenkins Script Security 1.2 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.2:-:-:-:-:jenkins
  • Jenkins Script Security 1.1 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.1:-:-:-:-:jenkins
  • Jenkins Script Security 1.0 for Jenkins
    cpe:2.3:a:jenkins:script_security:1.0:-:-:-:-:jenkins
CVSS
Base: 7.5 (as of 28-02-2017 - 12:31)
Impact:
Exploitability:
CWE CWE-254
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
NASL family Fedora Local Security Checks
NASL id FEDORA_2016-F3B40FCBC3.NASL
description Security fix for CVE-2016-3102. Update to 1.651.1. Fix dangling symlink (rhbz#1330472) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen 2019-02-21
modified 2017-03-06
plugin id 92206
published 2016-07-14
reporter Tenable
source https://www.tenable.com/plugins/index.php?view=single&id=92206
title Fedora 24 : jenkins / jenkins-credentials-plugin / jenkins-junit-plugin / etc (2016-f3b40fcbc3)
refmap via4
confirm https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-04-11
Last major update 28-02-2017 - 12:37
Published 09-02-2017 - 10:59
Back to Top