CVE-2017-1000095 - OpenCVE

The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object).

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:S/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Jenkins	Script Security
Redhat	Openshift

Configuration 1 [-]

cpe:2.3:a:jenkins:script_security:1.34:*:*:*:*:jenkins:*:*

Package	CPE	Advisory	Released Date
Red Hat OpenShift Container Platform 3.6
jenkins-plugin-script-security-0:1.29-1.el7	cpe:/a:redhat:openshift:3.6::el7	RHEA-2017:1716	2017-08-10T00:00:00Z

References

Link	Providers
https://jenkins.io/security/advisory/2017-07-10/
https://nvd.nist.gov/vuln/detail/CVE-2017-1000095
https://www.cve.org/CVERecord?id=CVE-2017-1000095

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2017-10-04T01:00:00

Updated: 2024-08-05T21:53:06.664Z

Reserved: 2017-07-13T00:00:00

Link: CVE-2017-1000095

Vulnrichment

No data.

NVD

Status : Analyzed

Published: 2017-10-05T01:29:03.883

Modified: 2019-10-03T00:03:26.223

Link: CVE-2017-1000095

Redhat

Severity : Important

Publid Date: 2017-07-10T00:00:00Z

Links: CVE-2017-1000095 - Bugzilla

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "dateAssigned": "2017-08-22T00:00:00", "datePublic": "2017-10-03T00:00:00", "descriptions": [{"lang": "en", "value": "The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object)."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-10-04T00:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://jenkins.io/security/advisory/2017-07-10/"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "DATE_ASSIGNED": "2017-08-22T17:29:33.313879", "ID": "CVE-2017-1000095", "REQUESTER": "ml@beckweb.net", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object)."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://jenkins.io/security/advisory/2017-07-10/", "refsource": "CONFIRM", "url": "https://jenkins.io/security/advisory/2017-07-10/"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T21:53:06.664Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://jenkins.io/security/advisory/2017-07-10/"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2017-1000095", "datePublished": "2017-10-04T01:00:00", "dateReserved": "2017-07-13T00:00:00", "dateUpdated": "2024-08-05T21:53:06.664Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:script_security:1.34:*:*:*:*:jenkins:*:*", "matchCriteriaId": "F330BD19-176E-4D33-8302-9904501F853F", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object)."}, {"lang": "es", "value": "La lista blanca por defecto incluye las siguientes entradas no seguras: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). Esto permite omitir muchas de las restricciones de acceso implementadas en el sandbox del script utilizando, por ejemplo, currentBuild['rawBuild'] en vez de currentBuild.rawBuild. Adem\u00e1s, las siguientes entradas permiten que se acceda a datos privados que no ser\u00edan accesibles de otra manera por mecanismos de seguridad de scripts: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object)."}], "id": "CVE-2017-1000095", "lastModified": "2019-10-03T00:03:26.223", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-10-05T01:29:03.883", "references": [{"source": "cve@mitre.org", "tags": ["Vendor Advisory"], "url": "https://jenkins.io/security/advisory/2017-07-10/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-732"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank the Jenkins project for reporting this issue.", "affected_release": [{"advisory": "RHEA-2017:1716", "cpe": "cpe:/a:redhat:openshift:3.6::el7", "package": "jenkins-plugin-script-security-0:1.29-1.el7", "product_name": "Red Hat OpenShift Container Platform 3.6", "release_date": "2017-08-10T00:00:00Z"}], "bugzilla": {"description": "jenkins-plugin-script-security: Unsafe methods in the default whitelist (SECURITY-538)", "id": "1471060", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1471060"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.8", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-184", "details": ["The default whitelist included the following unsafe entries: DefaultGroovyMethods.putAt(Object, String, Object); DefaultGroovyMethods.getAt(Object, String). These allowed circumventing many of the access restrictions implemented in the script sandbox by using e.g. currentBuild['rawBuild'] rather than currentBuild.rawBuild. Additionally, the following entries allowed accessing private data that would not be accessible otherwise due to script security: groovy.json.JsonOutput.toJson(Closure); groovy.json.JsonOutput.toJson(Object).", "The jenkins-plugin-script-security improperly whitelisted \"DefaultGroovyMethods.putAt(Object, String, Object)\" and \"DefaultGroovyMethods.getAt(Object, String)\" which allows attackers to bypass many restrictions and potentially trigger builds or access data they should not have access to. Exploitation of this requires the attacker to have access to the Jenkins instance, and for that Jenkins instance to be hosting other projects as well that the attacker should not have access to."], "name": "CVE-2017-1000095", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.5", "fix_state": "Will not fix", "impact": "low", "package_name": "jenkins-plugin-script-security", "product_name": "Red Hat OpenShift Container Platform 3.5"}], "public_date": "2017-07-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-1000095\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-1000095\nhttps://jenkins.io/security/advisory/2017-07-10/"], "statement": "This issue affects the versions of jenkins-plugin-script-security as shipped with OpenShift Enterprise 3. However, this flaw is of low impact under the supported scenarios in OpenShift Enterprise 3. A future update may address this issue.", "threat_severity": "Important", "upstream_fix": "jenkins-plugin-script-security 1.29.1"}