CVE-2024-28151 – org.jenkins-ci.plugins:htmlpublisher

Package

Manager: maven
Name: org.jenkins-ci.plugins:htmlpublisher
Vulnerable Version: >=0 <1.32.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00209 pctl0.43392

Details

Jenkins HTML Publisher Plugin Path traversal vulnerability Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller, allowing attackers with Item/Configure permission to determine whether a path on the Jenkins controller file system exists, without being able to access it.

Metadata

Created: 2024-03-06T18:30:38Z
Modified: 2024-10-31T19:15:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/03/GHSA-478x-m3mx-7j3f/GHSA-478x-m3mx-7j3f.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-478x-m3mx-7j3f
Finding: F063
Auto approve: 1