Medium severity6.5NVD Advisory· Published Jan 25, 2018· Updated Jun 17, 2026
CVE-2017-1000505
CVE-2017-1000505
Description
In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the new File(String) constructor for the purpose of in-process script approval.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:script-securityMaven | < 1.37 | 1.37 |
Affected products
1Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-r9jf-hf9x-7hrvghsaADVISORY
- jenkins.io/security/advisory/2017-12-11/nvdVendor Advisory
- nvd.nist.gov/vuln/detail/CVE-2017-1000505ghsaADVISORY
- jenkins.io/security/advisory/2017-12-11ghsaWEB
News mentions
0No linked articles in our index yet.