PT-2019-11751 · Jenkins · Jenkins

Conor Oneill

Published

2019-07-17

Updated

2023-10-25

CVE-2019-10352

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.185 and earlier Jenkins LTS versions 2.176.1 and earlier

Description A path traversal issue allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory. This results in an arbitrary file write on the Jenkins master when scheduling a build. The issue is related to the core/src/main/java/hudson/model/FileParameterValue.java file.

Recommendations For Jenkins versions 2.185 and earlier, update to a version that includes the fix for this issue. For Jenkins LTS versions 2.176.1 and earlier, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting the Job/Configure permission to minimize the risk of exploitation.

Exploit

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2019-10352

GHSA-QR42-82QJ-MW65

RHSA-2019:2503

RHSA-2019:2548

Affected Products

Jenkins

PT-2019-11751 · Jenkins · Jenkins

CVE-2019-10352

Weakness Enumeration

Related Identifiers

Affected Products

References · 12