CVE-2024-5273

Name of the Vulnerable Software and Affected Versions Jenkins Report Info Plugin versions 1.2 and earlier

Description The issue arises from the lack of path validation of the workspace directory while serving report files, leading to a path traversal vulnerability. This allows attackers with Item/Configure permission to retrieve sensitive information, including Surefire failures, PMD violations, Findbugs bugs, and Checkstyle errors, from the controller file system by manipulating the workspace path. Additionally, the Report Info Plugin does not support distributed builds.

Recommendations For Jenkins Report Info Plugin versions 1.2 and earlier, as a temporary workaround, consider restricting access to the workspace directory to minimize the risk of exploitation. Avoid using the plugin until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.