CVE-2024-54004

Name of the Vulnerable Software and Affected Versions: Jenkins Filesystem List Parameter Plugin versions 0.0.14 and earlier

Description: The issue allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system due to a lack of restriction on the path used for the File system objects list Parameter.

Recommendations: For Jenkins Filesystem List Parameter Plugin versions 0.0.14 and earlier, update to version 0.0.15 or later, which restricts paths used by the File system objects list Parameter to an allow list, with the default base directory set to $JENKINS HOME/userContent/. Additionally, consider configuring the allow list to include custom base directories as needed.