Описание
Path traversal vulnerability on Windows in Jenkins
The file browser for workspaces, archived artifacts, and userContent/ in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows.
This results in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files.\n\nThe file browser in Jenkins 2.315, LTS 2.303.2 refuses to serve files that would be considered absolute paths.
Пакеты
org.jenkins-ci.main:jenkins-core
<= 2.303.1
2.303.2
org.jenkins-ci.main:jenkins-core
>= 2.304, <= 2.314
2.315
Связанные уязвимости
The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows, resulting in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files.
The file browser in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier ...