GHSA-cgh7-rgqg-hrcx

Source

https://github.com/advisories/GHSA-cgh7-rgqg-hrcx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-cgh7-rgqg-hrcx/GHSA-cgh7-rgqg-hrcx.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-cgh7-rgqg-hrcx

Aliases

CVE-2023-41932

Published

2023-09-06T15:30:26Z

Modified

2024-02-16T08:13:13.919796Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Path traversal allows exploiting XXE vulnerability in Jenkins Job Configuration History Plugin

Details

Jenkins Job Configuration History Plugin 1227.v7a_79fc4dc01f and earlier does not restrict 'timestamp' query parameters in multiple endpoints, allowing attackers with to delete attacker-specified directories on the Jenkins controller file system as long as they contain a file called 'history.xml'.

Database specific

{
    "nvd_published_at": "2023-09-06T13:15:09Z",
    "cwe_ids": [
        "CWE-611"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T23:11:19Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:jobConfigHistory

Package

Name: org.jenkins-ci.plugins:jobConfigHistory; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/jobConfigHistory

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1229.v3039470161a_d

Affected versions

1.*

1.10

1.11

1.12

1.13

2.*

2.0

2.1

2.1.1

2.2

2.3

2.4

2.5

2.6

2.8

2.9

2.10

2.11

2.12

2.13

2.14

2.15

2.16

2.17

2.18

2.18.1

2.18.2

2.18.3

2.19

2.20

2.21

2.22

2.23

2.23.1

2.24

2.25

2.26

2.27

2.28

2.28.1

2.29-rc1073.41ef89cf4e15

2.29

2.30

2.31-rc1092.de9e11acbcf3

2.31-rc1098.b666422863b2

2.31-rc1107.2354f08725a_8

2.31-rc1118.fdcd7d8898ff

1119.*

1119.v509e1017356b_

1133.*

1133.v0f5420f85053

1139.*

1139.v888b_656ca_f6d

1146.*

1146.v94c2521f9213

1148.*

1148.v8607da_ef251e

1155.*

1155.v28a_46a_cc06a_5

1156.*

1156.v536a_97b_8d649

1163.*

1163.ve82c7c6e60a_3

1165.*

1165.v8cc9fd1f4597

1166.*

1166.vc9f255f45b_8a

1170.*

1170.v8a_c085b_dd49c

1171.*

1171.v04b_66d78555e

1176.*

1176.v1b_4290db_41a_5

1183.*

1183.v6e2785ff75e0

1187.*

1187.v2a_b_1ca_54d18d

1191.*

1191.v168c8c2b_956a

1198.*

1198.v4d5736c2308c

1206.*

1206.vc8967cc8a_2cb_

1207.*

1207.vd28a_54732f92

1212.*

1212.vd4470d08ff12

1227.*

1227.v7a_79fc4dc01f

Database specific

{
    "last_known_affected_version_range": "<= 1227.v7a"
}