CVE-2016-3102: Jenkins Script Security Plugin allows for Bypass of Groovy Sandbox Protection

May 17, 2022 (updated March 13, 2025)

The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.

References

github.com/advisories/GHSA-xgjx-96v4-mqxx
github.com/jenkinsci/script-security-plugin
github.com/jenkinsci/script-security-plugin/commit/e7d3bc9c1e25caa23cea33381134a4baaedc75b8
nvd.nist.gov/vuln/detail/CVE-2016-3102
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-04-11

Detect and mitigate CVE-2016-3102 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →