Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jdzVyLWp4OHItOWY3eM4AA8iW
Jenkins Report Info Plugin Path Traversal vulnerability
Jenkins Report Info Plugin 1.2 and earlier does not perform path validation of the workspace directory while serving report files.
Additionally, Report Info Plugin does not support distributed builds.
This results in a path traversal vulnerability, allowing attackers with Item/Configure permission to retrieve Surefire failures, PMD violations, Findbugs bugs, and Checkstyle errors on the controller file system by editing the workspace path.
As of publication of this advisory, there is no fix.
Permalink: https://github.com/advisories/GHSA-cw5r-jx8r-9f7xJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jdzVyLWp4OHItOWY3eM4AA8iW
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 6 months ago
Updated: 16 days ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-cw5r-jx8r-9f7x, CVE-2024-5273
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-5273
- https://www.jenkins.io/security/advisory/2024-05-24/#SECURITY-3070
- http://www.openwall.com/lists/oss-security/2024/05/24/2
- https://github.com/advisories/GHSA-cw5r-jx8r-9f7x
Affected Packages
maven:org.jenkins-ci.plugins:report-info
Affected Version Ranges: <= 1.2No known fixed version