GHSA-cw5r-jx8r-9f7x

Suggest an improvement
Source
https://github.com/advisories/GHSA-cw5r-jx8r-9f7x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/05/GHSA-cw5r-jx8r-9f7x/GHSA-cw5r-jx8r-9f7x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cw5r-jx8r-9f7x
Aliases
  • CVE-2024-5273
Published
2024-05-24T18:52:08Z
Modified
2024-11-07T19:23:03.310341Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
  • 1.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Jenkins Report Info Plugin Path Traversal vulnerability
Details

Jenkins Report Info Plugin 1.2 and earlier does not perform path validation of the workspace directory while serving report files.

Additionally, Report Info Plugin does not support distributed builds.

This results in a path traversal vulnerability, allowing attackers with Item/Configure permission to retrieve Surefire failures, PMD violations, Findbugs bugs, and Checkstyle errors on the controller file system by editing the workspace path.

As of publication of this advisory, there is no fix.

Database specific 
{
    "nvd_published_at": "2024-05-24T14:15:17Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2024-05-24T18:52:08Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:report-info

Package

Name
org.jenkins-ci.plugins:report-info
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/report-info

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.2

Affected versions

1.*

1.0
1.1
1.2