CVE-2018-1000175

Name of the Vulnerable Software and Affected Versions Jenkins HTML Publisher Plugin versions 1.15 and older

Description A path traversal issue exists in the HtmlPublisherTarget.java file, allowing attackers who can configure the HTML Publisher build step to override arbitrary files on the Jenkins master. This issue is related to the handling of report names, which in vulnerable versions do not properly escape non-alphanumeric characters for use as part of a URL and as a directory name.

Recommendations For Jenkins HTML Publisher Plugin versions 1.15 and older, update to version 1.16 or newer, which escapes non-alphanumeric characters in report names for use as part of a URL and as a directory name, addressing the path traversal issue.