CVE-2017-1000505: Information Exposure

January 25, 2018 (updated February 9, 2018)

Users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the new File(String) constructor for the purpose of in-process script approval.

References

jenkins.io/security/advisory/2017-12-11/
nvd.nist.gov/vuln/detail/CVE-2017-1000505

Code Behaviors & Features

Detect and mitigate CVE-2017-1000505 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →