CVE-2024-54004 – aendter.jenkins.plugins:filesystem-list-parameter-plugin

Package

Manager: maven
Name: aendter.jenkins.plugins:filesystem-list-parameter-plugin
Vulnerable Version: >=0 <0.0.15

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00154 pctl0.36748

Details

Jenkins Filesystem List Parameter Plugin has Path Traversal vulnerability Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter. This allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. Filesystem List Parameter Plugin 0.0.15 ensures that paths used by the File system objects list Parameter are restricted to an allow list, with the default base directory set to $JENKINS_HOME/userContent/. The allow list can be configured to include additional custom base directories.

Metadata

Created: 2024-11-27T18:34:04Z
Modified: 2024-11-27T20:12:13Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/11/GHSA-fwxq-3f52-5cmc/GHSA-fwxq-3f52-5cmc.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-fwxq-3f52-5cmc
Finding: F063
Auto approve: 1