{"id":"CVE-2016-3102","details":"The Script Security plugin before 1.18.1 in Jenkins might allow remote attackers to bypass a Groovy sandbox protection mechanism via a plugin that performs (1) direct field access or (2) get/set array operations.","aliases":["GHSA-xgjx-96v4-mqxx"],"modified":"2026-04-10T03:49:23.159138Z","published":"2017-02-09T15:59:01.003Z","references":[{"type":"ADVISORY","url":"https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2016-04-11"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/script-security-plugin","events":[{"introduced":"0"},{"last_affected":"acc9ebe61a89792e7654fa30f52b7ef788f31f21"},{"introduced":"0"},{"last_affected":"d10091f6d8a131babce5ef529c91ee7ef6d7ae4f"},{"introduced":"0"},{"last_affected":"dba1b42d46520448f3ff1a9efd24a5258c8f6982"},{"introduced":"0"},{"last_affected":"8e2b7e9675ec4efc04eeacf100360930572bfe8d"},{"introduced":"0"},{"last_affected":"086e6cc787354646e1ef2b83eab20747746c4be1"},{"introduced":"0"},{"last_affected":"5fd61755d1a4f136d9503a2120c8364b60d3a5c1"},{"introduced":"0"},{"last_affected":"eb38c2d9caefdc0d09a8eccea8e31fac7e55ac27"},{"introduced":"0"},{"last_affected":"9d3eb5592ac2573bc6bdc7916a5a394cde39d08b"},{"introduced":"0"},{"last_affected":"10511ba9e324fa9116b33e3482c2e7e5288b217b"},{"introduced":"0"},{"last_affected":"6ea702198969397e05dcbc2d12023e3608952fbb"},{"introduced":"0"},{"last_affected":"10c5625f8e930098068dcca40763dc5c9c0ad052"},{"introduced":"0"},{"last_affected":"1fe2bedf7a3efac25d3328a48dac1ae802b7a806"},{"introduced":"0"},{"last_affected":"d69a95f282cae0aafbffc39cbaa02f237f773171"},{"introduced":"0"},{"last_affected":"1544de66f855734b96df34c4499bf1d4b813ba6e"},{"introduced":"0"},{"last_affected":"e6313e2fc80dc21faec21aedd9ca1d56711a0b22"},{"introduced":"0"},{"last_affected":"5387328481a23e0feab57bd87e68049df5113a1b"},{"introduced":"0"},{"last_affected":"29ea1798a6a42bc032c5659fc3f281c7c8af14e8"},{"introduced":"0"},{"last_affected":"3ddf1462410d757abe0edbf11d3dffe63f527ff0"},{"introduced":"0"},{"last_affected":"36e53d8ea23fa042071252877a74e824a6d314aa"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.0"},{"introduced":"0"},{"last_affected":"1.1"},{"introduced":"0"},{"last_affected":"1.2"},{"introduced":"0"},{"last_affected":"1.3"},{"introduced":"0"},{"last_affected":"1.4"},{"introduced":"0"},{"last_affected":"1.5"},{"introduced":"0"},{"last_affected":"1.6"},{"introduced":"0"},{"last_affected":"1.7"},{"introduced":"0"},{"last_affected":"1.8"},{"introduced":"0"},{"last_affected":"1.9"},{"introduced":"0"},{"last_affected":"1.10"},{"introduced":"0"},{"last_affected":"1.11"},{"introduced":"0"},{"last_affected":"1.12"},{"introduced":"0"},{"last_affected":"1.13"},{"introduced":"0"},{"last_affected":"1.14"},{"introduced":"0"},{"last_affected":"1.15"},{"introduced":"0"},{"last_affected":"1.16"},{"introduced":"0"},{"last_affected":"1.17"},{"introduced":"0"},{"last_affected":"1.18"}]}}],"versions":["script-security-1.0","script-security-1.0-beta-1","script-security-1.0-beta-2","script-security-1.0-beta-3","script-security-1.0-beta-4","script-security-1.0-beta-5","script-security-1.0-beta-6","script-security-1.1","script-security-1.10","script-security-1.11","script-security-1.12","script-security-1.13","script-security-1.14","script-security-1.15","script-security-1.16","script-security-1.17","script-security-1.18","script-security-1.2","script-security-1.3","script-security-1.4","script-security-1.5","script-security-1.6","script-security-1.7","script-security-1.8","script-security-1.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2016-3102.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"}]}