Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1md3hxLTNmNTItNWNtY84ABB4P
Jenkins Filesystem List Parameter Plugin has Path Traversal vulnerability
Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter.
This allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system.
Filesystem List Parameter Plugin 0.0.15 ensures that paths used by the File system objects list Parameter are restricted to an allow list, with the default base directory set to $JENKINS_HOME/userContent/. The allow list can be configured to include additional custom base directories.
Permalink: https://github.com/advisories/GHSA-fwxq-3f52-5cmcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1md3hxLTNmNTItNWNtY84ABB4P
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 13 days ago
Updated: 13 days ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00043
EPSS Percentile: 0.10511
Identifiers: GHSA-fwxq-3f52-5cmc, CVE-2024-54004
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-54004
- https://www.jenkins.io/security/advisory/2024-11-27/#SECURITY-3367
- https://github.com/advisories/GHSA-fwxq-3f52-5cmc
Affected Packages
maven:aendter.jenkins.plugins:filesystem-list-parameter-plugin
Affected Version Ranges: < 0.0.15Fixed in: 0.0.15