This advisory announces a vulnerability in this Jenkins plugin:
SECURITY-663 / CVE-2017-1000505
Users with the ability to configure sandboxed Groovy and Pipeline scripts, including those from SCM, are able to use a type coercion feature in Groovy to create new
File objects from strings. This allowed reading arbitrary files on the Jenkins controller file system.
Such a type coercion is now subject to sandbox protection and considered to be a call to the
new File(String) constructor for the purpose of in-process script approval.
Script Security Plugin should be updated to version 1.37
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporter for discovering and reporting this vulnerability:
Gregory Draperi for SECURITY-663