CVE-2024-23904

Name of the Vulnerable Software and Affected Versions Jenkins Log Command Plugin versions 1.0.2 and earlier

Description The issue is related to the command parser feature in the Jenkins Log Command Plugin, which replaces an '@' character followed by a file path in an argument with the file's contents. This allows unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system. The exploitation of this issue may enable a remote attacker to read contents from arbitrary files.

Recommendations For Jenkins Log Command Plugin versions 1.0.2 and earlier, consider disabling the command parser feature that replaces the '@' character with file contents until a patch is available. Restrict access to sensitive files on the Jenkins controller file system to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.