Base Score

HIGH7.3

CVE-2016-3102

The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.

VectorNETWORK

Published Bysecalert@redhat.com

Published DateFeb 09, 2017, 15:59

Affected Versions(1)

org.jenkins-ci.plugins:script-security(Maven)

Introduced0

Fixed1.18.1

LimitN/A

Package (Ecosystem)	Introduced	Fixed	Limit
org.jenkins-ci.plugins:script-security(Maven)	0	1.18.1	N/A

Weakness Type (CWE):CWE-254

CVSS Metrics

Base Score

7.3

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Base Severity

HIGH

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

LOW

References

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-04-11

Base Score

HIGH7.3

Weakness Type (CWE):CWE-254

CVSS Metrics

Base Score

7.3

Vector String

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Base Severity

HIGH

Version

3.0

Attack Vector (AV)

NETWORK

Attack Complexity (AC)

LOW

Privileges Required (PR)

NONE

User Interaction (UI)

NONE

Scope (S)

UNCHANGED

Confidentiality (C)

LOW

Integrity (I)

LOW

Availability (A)

LOW