Darren Zhao

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.88 and earlier Jenkins versions 2.73.2 and earlier **Description** The issue arises from how Jenkins stores metadata related to 'people', which includes actual user accounts and users from SCM, in directories on disk. These directories are named using the user ID without any additional escaping, which could lead to issues such as overwriting unrelated configuration files. **Recommendations** For Jenkins versions 2.88 and earlier, update to a version later than 2.88 to resolve the issue. For Jenkins versions 2.73.2 and earlier, update to a version later than 2.73.2 to resolve the issue.