Vulnerabilities > CVE-2016-3102 - 7PK - Security Features vulnerability in Jenkins Script Security

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

jenkins

CWE-254

nessus

NVD

Published: 2017-02-09

Updated: 2017-02-28

Summary

The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.

Vulnerable Configurations

Part	Description	Count
Application	Jenkins Jenkins Script Security 1.0 Jenkins Script Security 1.1 Jenkins Script Security 1.2 Jenkins Script Security 1.3 Jenkins Script Security 1.4 Jenkins Script Security 1.5 Jenkins Script Security 1.6 Jenkins Script Security 1.7 Jenkins Script Security 1.8 Jenkins Script Security 1.9 Jenkins Script Security 1.10 Jenkins Script Security 1.11 Jenkins Script Security 1.12 Jenkins Script Security 1.13 Jenkins Script Security 1.14 Jenkins Script Security 1.15 Jenkins Script Security 1.16 Jenkins Script Security 1.17 Jenkins Script Security 1.18	19

Common Weakness Enumeration (CWE)

CWE-254 - 7PK - Security Features

Nessus

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2016-F3B40FCBC3.NASL
description	Security fix for CVE-2016-3102. Update to 1.651.1. Fix dangling symlink (rhbz#1330472) Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-05
modified	2016-07-14
plugin id	92206
published	2016-07-14
reporter	This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/92206
title	Fedora 24 : jenkins / jenkins-credentials-plugin / jenkins-junit-plugin / etc (2016-f3b40fcbc3)

References

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-04-11