CVE-2024-23900

Name of the Vulnerable Software and Affected Versions Jenkins Matrix Project Plugin versions 822.v01b 8c85d16d2 and earlier

Description The issue is related to the lack of sanitization of user-defined axis names of multi-configuration projects. This allows attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers. The vulnerability can be exploited through the config.xml REST API endpoint.

Recommendations For Jenkins Matrix Project Plugin versions 822.v01b 8c85d16d2 and earlier, update to a version that sanitizes user-defined axis names, such as Matrix Project Plugin 822.824.v14451b c0fd42. As a temporary workaround, consider restricting access to the config.xml REST API endpoint and limiting Item/Configure permissions to minimize the risk of exploitation.