Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-fwxq-3f52-5cmc: Jenkins Filesystem List Parameter Plugin has Path Traversal vulnerability

Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter.

This allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system.

Filesystem List Parameter Plugin 0.0.15 ensures that paths used by the File system objects list Parameter are restricted to an allow list, with the default base directory set to $JENKINS_HOME/userContent/. The allow list can be configured to include additional custom base directories.

ghsa
#vulnerability#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-54004

Jenkins Filesystem List Parameter Plugin has Path Traversal vulnerability

Moderate severity GitHub Reviewed Published Nov 27, 2024 to the GitHub Advisory Database • Updated Nov 27, 2024

Package

maven aendter.jenkins.plugins:filesystem-list-parameter-plugin (Maven)

Affected versions

< 0.0.15

Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter.

This allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system.

Filesystem List Parameter Plugin 0.0.15 ensures that paths used by the File system objects list Parameter are restricted to an allow list, with the default base directory set to $JENKINS_HOME/userContent/. The allow list can be configured to include additional custom base directories.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2024-54004
  • https://www.jenkins.io/security/advisory/2024-11-27/#SECURITY-3367

Published to the GitHub Advisory Database

Nov 27, 2024

Last updated

Nov 27, 2024

ghsa: Latest News

GHSA-cmwp-442x-3rcv: Piranha CMS Cross-site Scripting vulnerability