CVE-2019-10352

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.185 and earlier Jenkins LTS versions 2.176.1 and earlier

Description A path traversal issue allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory. This results in an arbitrary file write on the Jenkins master when scheduling a build. The issue is related to the core/src/main/java/hudson/model/FileParameterValue.java file.

Recommendations For Jenkins versions 2.185 and earlier, update to a version that includes the fix for this issue. For Jenkins LTS versions 2.176.1 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the Job/Configure permission to minimize the risk of exploitation.