Conor Oneill

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.185 and earlier Jenkins LTS versions 2.176.1 and earlier **Description** A path traversal issue allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory. This results in an arbitrary file write on the Jenkins master when scheduling a build. The issue is related to the `core/src/main/java/hudson/model/FileParameterValue.java` file. **Recommendations** For Jenkins versions 2.185 and earlier, update to a version that includes the fix for this issue. For Jenkins LTS versions 2.176.1 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the Job/Configure permission to minimize the risk of exploitation.