CVE-2024-23900

Source
https://nvd.nist.gov/vuln/detail/CVE-2024-23900
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-23900.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2024-23900
Aliases
Related
Published
2024-01-24T18:15:09Z
Modified
2024-09-03T04:38:32.532593Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers.

References

Affected packages

Git / github.com/jenkinsci/matrix-project-plugin

Affected ranges

Type
GIT
Repo
https://github.com/jenkinsci/matrix-project-plugin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected

Affected versions

751.*

751.v496d84c0d414

758.*

758.v7a_ea_491852f3

771.*

771.v574584b_39e60

772.*

772.v494f19991984

785.*

785.v06b_7f47b_c631

789.*

789.v57a_725b_63c79

802.*

802.v8013b_40c7edc

808.*

808.v5a_b_5f56d6966

818.*

818.v7eb_e657db_924

822.*

822.v01b_8c85d16d2

matrix-project-1.*

matrix-project-1.0
matrix-project-1.0-beta-1
matrix-project-1.1
matrix-project-1.10
matrix-project-1.11
matrix-project-1.12
matrix-project-1.13
matrix-project-1.14
matrix-project-1.15
matrix-project-1.16
matrix-project-1.17
matrix-project-1.18
matrix-project-1.19
matrix-project-1.2
matrix-project-1.20
matrix-project-1.3
matrix-project-1.4
matrix-project-1.5
matrix-project-1.6
matrix-project-1.7
matrix-project-1.7.1
matrix-project-1.8
matrix-project-1.9