Yangyue

**Name of the Vulnerable Software and Affected Versions** Jenkins versions 2.470 and earlier, LTS versions 2.452.3 and earlier **Description** A critical issue in Jenkins allows agent processes to read arbitrary files from the Jenkins controller file system by using the `ClassLoaderProxy#fetchJar` method in the Remoting library. This can lead to sensitive data exposure and potentially allow attackers to perform remote code execution (RCE) on Jenkins controllers. The vulnerability is related to the Remoting library's ability to load classes and classloader resources from the controller, which can be exploited by attackers with Agent/Connect permission. It is estimated that around 524,309 devices may be affected. **Recommendations** For Jenkins versions 2.470 and earlier, and LTS versions 2.452.3 and earlier, update to Jenkins 2.471, LTS 2.452.4, or later to resolve the issue. As a temporary workaround, consider restricting access to the `ClassLoaderProxy#fetchJar` method or disabling the Remoting library until a patch is available. Additionally, restrict access to the vulnerable `Channel#preloadJar` API endpoint to minimize the risk of exploitation.