CVE-2017-1000505
Description
In Jenkins Script Security Plugin version 1.36 and earlier, users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the new File(String) constructor for the purpose of in-process script approval.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Jenkins Script Security Plugin ≤1.36, sandboxed Groovy type coercion allowed arbitrary file read from the Jenkins controller.
Vulnerability
The Jenkins Script Security Plugin version 1.36 and earlier allows users who can configure sandboxed Groovy scripts (including Pipeline scripts from SCM) to bypass sandbox restrictions. A type coercion feature in Groovy can be exploited to create File objects from strings, enabling access to the controller file system that should be prevented. This affects all versions up to and including 1.36 [1][2].
Exploitation
An attacker needs to have the ability to configure sandboxed Groovy or Pipeline scripts in Jenkins. This includes users with permissions such as "Run Scripts" or SCM-triggered scripts. The attacker injects a Groovy script that uses type coercion to construct a File object from a controlled string, then reads the file content (e.g., via text or eachLine). The sandboxed environment previously did not block this coercion, which is now treated as a new File(String) constructor call [2].
Impact
Successful exploitation allows an attacker to read arbitrary files from the Jenkins controller file system. This can include sensitive configuration files, credentials, job configurations, and other secrets stored on the master. Confidentiality is fully compromised; integrity and availability are not directly affected by this read-only vulnerability [1][2].
Mitigation
The vulnerability is fixed in Script Security Plugin version 1.37, released on or after 2017-12-11. Users should immediately update to version 1.37 or later. There is no known workaround; disabling the plugin or restricting permissions may reduce risk but is not a complete fix [2]. The vulnerability is not listed on the CISA KEV as of the publication date.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:script-securityMaven | < 1.37 | 1.37 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-r9jf-hf9x-7hrvghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-1000505ghsaADVISORY
- jenkins.io/security/advisory/2017-12-11ghsaWEB
- jenkins.io/security/advisory/2017-12-11/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.