This advisory announces a vulnerability in this Jenkins plugin:
SECURITY-663 / CVE-2017-1000505
Users with the ability to configure sandboxed Groovy and Pipeline scripts, including those from SCM, are able to use a type coercion feature in Groovy to create new File objects from strings. This allowed reading arbitrary files on the Jenkins controller file system.
Such a type coercion is now subject to sandbox protection and considered to be a call to the new File(String) constructor for the purpose of in-process script approval.
SECURITY-663: medium
Script Security Plugin should be updated to version 1.37
These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated.
The Jenkins project would like to thank the reporter for discovering and reporting this vulnerability:
Gregory Draperi for SECURITY-663