CVE-2019-16540

Name of the Vulnerable Software and Affected Versions Jenkins Support Core Plugin versions 2.63 and earlier

Description A path traversal issue allows attackers with Overall/Read permission to delete arbitrary files on the Jenkins master. The vulnerability arises from the lack of validation of paths submitted for the "Delete Support Bundles" feature, enabling users to delete files on the Jenkins controller file system accessible to the OS user account running Jenkins. This issue is further exacerbated by the absence of a permission check, allowing users with Overall/Read permission to delete support bundles and any other file with a known name or path.

Recommendations For Jenkins Support Core Plugin versions 2.63 and earlier, update the plugin to a version that includes the fix, which restricts the deletion of files to only support bundles and related files listed on the UI, and ensures that only users with "Download Bundle" permission can delete support bundles. As a temporary workaround, consider restricting access to the "Delete Support Bundles" feature to users with higher permissions until the update is applied.