-
Bug
-
Resolution: Fixed
-
Critical
-
None
-
Jenkins ver. 2.46.1
According to https://jenkins.io/security/advisory/2017-04-10/ this plugin suffers from arbitrary code execution vulnerability.
[JENKINS-43637] Arbitrary code execution vulnerability
Code changed in jenkins
User: Daniel Heid
Path:
src/main/java/org/jenkinsci/plugins/postbuildscript/service/ScriptExecutor.java
http://jenkins-ci.org/commit/postbuildscript-plugin/a6e82abb5c5be6b5303f548bffc7ebbe9ae27d76
Log:
JENKINS-43637 Secures groovy script execution
Code changed in jenkins
User: Daniel Heid
Path:
.gitignore
pom.xml
src/main/java/org/jenkinsci/plugins/postbuildscript/PostBuildScript.java
src/main/java/org/jenkinsci/plugins/postbuildscript/PostBuildScriptListener.java
src/main/java/org/jenkinsci/plugins/postbuildscript/service/ScriptExecutor.java
http://jenkins-ci.org/commit/postbuildscript-plugin/3d33744ba1c459beb8e6c46c1112ab236b18a699
Log:
Merge pull request #15 from dheid/master
JENKINS-43637 Secures groovy script execution
Compare: https://github.com/jenkinsci/postbuildscript-plugin/compare/cdceecee4243...3d33744ba1c4
Code changed in jenkins
User: Daniel Heid
Path:
src/main/resources/artifact-ignores.properties
src/main/resources/warnings.json
http://jenkins-ci.org/commit/backend-update-center2/c02dcbe2c40684f196fd118b3885770963dbc913
Log:
JENKINS-43637 Removed blacklisting from PostBuildScript plugin and customized update center warning
Code changed in jenkins
User: Daniel Beck
Path:
src/main/resources/artifact-ignores.properties
src/main/resources/warnings.json
http://jenkins-ci.org/commit/backend-update-center2/63abf23d696ee85cff3c5121a1c4224213bd3eb6
Log:
Merge pull request #169 from dheid/master
JENKINS-43637 Removed blacklisting from PostBuildScript plugin
Compare: https://github.com/jenkins-infra/backend-update-center2/compare/bf2b908ebd12...63abf23d696e
Code changed in jenkins
User: Daniel Spilker
Path:
docs/Home.md
docs/Migration.md
job-dsl-core/src/main/groovy/javaposse/jobdsl/dsl/helpers/publisher/PublisherContext.groovy
job-dsl-core/src/test/groovy/javaposse/jobdsl/dsl/helpers/publisher/PublisherContextSpec.groovy
http://jenkins-ci.org/commit/job-dsl-plugin/ef3a5831d774ef8597727ab7e9a5ef18904cf01e
Log:
Merge pull request #1097 from daspilker/JENKINS-43637
Un-deprecated support for the PostBuildScript plugin
Compare: https://github.com/jenkinsci/job-dsl-plugin/compare/465b8b79c22b...ef3a5831d774
Hi! I integrated the SecureGroovyScript class into the plugin to solve the mentioned vulnerability:
https://github.com/jenkinsci/postbuildscript-plugin/pull/15