Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring custom ID, allowing attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.
{
"versions": [
{
"introduced": "9.0.0"
},
{
"fixed": "9.0.2"
},
{
"introduced": "9.5.0"
},
{
"fixed": "9.5.2"
},
{
"introduced": "9.10.0"
},
{
"last_affected": "9.10.2"
},
{
"introduced": "0"
},
{
"last_affected": "9.7.0"
}
]
}