CVE-2016-3102

Published Feb 9, 2017

Last updated 8 years ago

CVSS high 7.3

Overview

Description: The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.
Source: secalert@redhat.com
NVD status: Analyzed

Risk scores

CVSS 3.0

Type: Primary
Base score: 7.3
Impact score: 3.4
Exploitability score: 3.9
Vector string: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Severity: HIGH

CVSS 2.0

Type: Primary
Base score: 7.5
Impact score: 6.4
Exploitability score: 10
Vector string: AV:N/AC:L/Au:N/C:P/I:P/A:P

Weaknesses

nvd@nist.gov: CWE-254

Hype score: Not currently trending

Configurations

[
  {
    "nodes": [
      {
        "negate": false,
        "cpeMatch": [
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.0:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0941B222-5731-4A1A-8B67-C33EE931FE91"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.1:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "71689F37-4025-41B7-A5E4-546B70EC799E"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.2:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "BD094183-2145-47E7-93F9-077BB11F88DB"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.3:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "9A263A3A-EFA7-4EF1-B882-9A48E02F7992"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.4:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "05397C2C-1768-44DE-9DF3-28CEC2E64A12"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.5:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "F0B4DA55-99E8-4D12-8E76-57A7F0E68530"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.6:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5F322056-8B48-4039-B5E1-3F6B5BD51DEA"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.7:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "B06D3B5D-3104-45F2-8D00-8A063F583193"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.8:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "138A02CC-41B0-4383-9457-5A5D3F64D14D"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.9:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "45E3C087-7204-4344-A600-C39058109AAF"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.10:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "28FFDA44-7EB9-44D4-98B0-CF3EB916315E"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.11:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "81B21C43-B7DB-4BCA-9335-727A9D3BA164"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.12:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "0AEDDF46-E6A1-4A61-96EC-4A796B3C1CA9"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.13:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "EDDB123B-C69A-4C4B-A699-E27781407C82"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.14:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "6744EE4A-6476-47A5-A2C8-13DC0606A90C"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.15:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5D575F1B-8B43-488A-B37B-AC895C03A57C"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.16:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "5DE8CF02-A8D4-4E27-B799-2E1BFD511A3D"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.17:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "A8B0A689-7F7B-4F93-A032-E693310CFDD5"
          },
          {
            "criteria": "cpe:2.3:a:jenkins:script_security:1.18:*:*:*:*:jenkins:*:*",
            "vulnerable": true,
            "matchCriteriaId": "452403BE-08F3-466C-82E1-DEE70668D2A1"
          }
        ],
        "operator": "OR"
      }
    ]
  }
]

Overview

Risk scores

CVSS 3.0

CVSS 2.0

Weaknesses

Social media

Configurations

References