8.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-1000096

GHSA ID

GHSA-mhwq-4mh7-fv7c

EPSS Score

0.41884%

CWE

CWE-732

Published

5/13/2022

Updated

1/30/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-1000096

CVE-2017-1000096: Arbitrary code execution due to incomplete sandbox protection in Jenkins Pipeline

Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in Pipeline scripts were not subject to sandbox protection, and could therefore execute arbitrary code. This could be exploited e.g. by regular Jenkins users with the permission to configure Pipelines in Jenkins, or by trusted committers to repositories containing Jenkinsfiles.

(GitHub Advisory)

8.8

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-1000096

GHSA ID

GHSA-mhwq-4mh7-fv7c

EPSS Score

0.41884%

CWE

CWE-732

Published

5/13/2022

Updated

1/30/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins.workflow:workflow-cps	maven	<= 2.36	2.36.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing sandbox protection in three specific Groovy language constructs: constructors, instance variable initializers, and instance initializers. The CpsTransformer class in workflow-cps is responsible for AST transformations that implement CPS execution model and sandboxing.

visitConstructorOrMethod would handle constructor definitions - without sandbox interceptor wrapping, constructor bodies could execute arbitrary code
visitField processes field declarations with initializers - vulnerable when initializer expressions weren't sandboxed
parseScript is the entry point where these vulnerabilities would manifest during script execution

Confidence is medium as we're inferring implementation details from vulnerability description rather than explicit patch diffs, but these are the canonical components handling the vulnerable code structures based on Jenkins Pipeline architecture.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*r*itr*ry *o** *x**ution *u* to in*ompl*t* s*n**ox prot**tion: *onstru*tors, inst*n** v*ri**l* initi*liz*rs, *n* inst*n** initi*liz*rs in Pip*lin* s*ripts w*r* not su*j**t to s*n**ox prot**tion, *n* *oul* t**r**or* *x**ut* *r*itr*ry *o**. T*is *oul*

Reasoning

T** vuln*r**ility st*ms *rom missin* s*n**ox prot**tion in t*r** sp**i*i* *roovy l*n*u*** *onstru*ts: *onstru*tors, inst*n** v*ri**l* initi*liz*rs, *n* inst*n** initi*liz*rs. T** *psTr*ns*orm*r *l*ss in work*low-*ps is r*sponsi*l* *or *ST tr*ns*orm*t

8.8

Basic Information

Concerned about an active attack path?

CVE-2017-1000096: Arbitrary code execution due to incomplete sandbox protection in Jenkins Pipeline

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI