CVE-2016-3102 Jenkins CVE debrief

Who should care

Jenkins administrators, DevOps teams, and security owners running Script Security plugin versions 1.18 or earlier should care most, especially if they allow sandboxed Groovy scripts or depend on plugins that execute Groovy on behalf of users.

Technical summary

NVD lists vulnerable Script Security plugin versions from 1.0 through 1.18, with remediation available before 1.18.1. The weakness is a sandbox protection bypass: a plugin performing direct field access or get/set array operations may evade Groovy sandbox restrictions. The NVD record shows network reachability and no required privileges or user interaction in the CVSS vector, indicating a potentially broad exposure surface where affected scripting paths are enabled.

Defensive priority

High. The combination of low attack complexity, no privileges, and no user interaction makes this a priority fix for any Jenkins installation using the affected plugin versions.

Recommended defensive actions

• Upgrade Jenkins Script Security plugin to 1.18.1 or later.
• Inventory Jenkins jobs and plugins that execute Groovy scripts under the sandbox.
• Review any custom or third-party plugins that use direct field access or array get/set operations in scripted paths.
• Confirm the vulnerable plugin versions are not present in any controller or long-lived build environment.
• Validate remediation by checking the installed Script Security plugin version against the fixed release.

Evidence notes

This debrief is based only on the supplied NVD record and the referenced Jenkins vendor advisory. NVD identifies affected Script Security plugin versions 1.0 through 1.18 and links to the Jenkins Security Advisory 2016-04-11. The CVE was published in NVD on 2017-02-09 and the NVD entry was last modified on 2026-05-13.

Official resources