High severity8.8NVD Advisory· Published Oct 5, 2017· Updated May 13, 2026

CVE-2017-1000096

Description

Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.jenkins-ci.plugins.workflow:workflow-cpsMaven	< 2.36.1	2.36.1

Affected products

Jenkins/Pipeline\
cpe:2.3:a:jenkins:pipeline\:_groovy:*:*:*:*:*:jenkins:*:*
Range: <=2.36

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.securityfocus.com/bid/99571nvdThird Party AdvisoryVDB EntryWEB
github.com/advisories/GHSA-mhwq-4mh7-fv7cghsaADVISORY
jenkins.io/security/advisory/2017-07-10/nvdVendor Advisory
nvd.nist.gov/vuln/detail/CVE-2017-1000096ghsaADVISORY
jenkins.io/security/advisory/2017-07-10ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000