https://bugzilla.redhat.com/show_bug.cgi?id=1471060
--- Doc Text *updated* by Kurt Seifried <kseifried(a)redhat.com> ---
The jenkins-plugin-script-security improperly whitelisted
"DefaultGroovyMethods.putAt(Object, String, Object)" and
"DefaultGroovyMethods.getAt(Object, String)" which allow attackers to bypass
many restrictions and potentially trigger builds or access data they should not have
access to. Please note that exploitation of this requires the attacker to have access to
the Jenkins instance, and for that Jenkins instance to be hosting other projects as well
that the attacker should not have access to.
--
You are receiving this mail because:
You are on the CC list for the bug.