Skip to main content

Script Security CVE-2016-3102

HIGH
7PK - Security Features (CWE-254)
2017-02-09 secalert@redhat.com
7.3
CVSS 3.0 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
CVE Published
Feb 09, 2017 - 15:59 cve.org
HIGH 7.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 9 maven packages depend on org.jenkins-ci.plugins:script-security (6 direct, 3 indirect)

Ecosystem-wide dependent count for version 1.18.1.

DescriptionCVE.org

The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.

AnalysisAI

The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set. Rated high severity (CVSS 7.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Technical ContextAI

This vulnerability is classified under CWE-254. The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations. Affected products include: Jenkins Script Security. Version information: before 1.18.1.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003005 HIGH POC
8.8 Feb 06

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.50 and earlier in src/main/java/org/jenkinsci/

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2022-43404 CRITICAL
9.9 Oct 19

A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructor

CVE-2022-43403 CRITICAL
9.9 Oct 19

A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin

CVE-2022-43401 CRITICAL
9.9 Oct 19

A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Sc

CVE-2020-2279 CRITICAL
9.9 Sep 23

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.74 and earlier allows attackers with permission to de

CVE-2019-10431 CRITICAL
9.9 Oct 01

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.64 and earlier related to the handling of default par

CVE-2024-34144 CRITICAL
9.8 May 02

A sandbox bypass vulnerability involving crafted constructor bodies in Jenkins Script Security Plugin 1335.vf07d9ce377a_

CVE-2019-1003040 CRITICAL
9.8 Mar 28

A sandbox bypass vulnerability in Jenkins Script Security Plugin 1.55 and earlier allows attackers to invoke arbitrary c

CVE-2017-1000107 HIGH
8.8 Oct 05

Script Security Plugin did not apply sandboxing restrictions to constructor invocations via positional arguments list, s

CVE-2024-34145 HIGH
8.8 May 02

A sandbox bypass vulnerability involving sandbox-defined classes that shadow specific non-sandbox-defined classes in Jen

Share

CVE-2016-3102 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy