CVE-2017-1000505: Information Exposure
(updated )
Users with the ability to configure sandboxed Groovy scripts are able to use a type coercion feature in Groovy to create new File
objects from strings. This allowed reading arbitrary files on the Jenkins master file system. Such a type coercion is now subject to sandbox protection and considered to be a call to the new File(String)
constructor for the purpose of in-process script approval.
References
Detect and mitigate CVE-2017-1000505 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →