1. Home
  2. Vulnerabilities
  3. CVE-2018-6356

CVE-2018-6356

CVSS v3.1 6.5 (Medium)
65% Progress
CVSS v2.0 4 (Medium)
40% Progress
EPSS 28.82 % (97th)
28.82% Progress
Affected Products 2
Advisories 2
Info CVSS EPSS CAPEC Affected Configurations References Security Advisories Packages & Software Tools, Exploits & PoC Graph Web & Social Timeline

Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.

Weaknesses
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE Status
PUBLISHED
CNA
MITRE
Published Date
2018-02-20 15:29:00
(6 years ago)
Updated Date
2022-06-13 19:09:38
(2 years ago)

Affected Products

Jenkins

Oracle

Configuration #1

    CPE23 From Up To
  Jenkins prior 2.107 version cpe:2.3:a:jenkins:jenkins < 2.107

Configuration #2

    CPE23 From Up To
  Jenkins prior 2.89.4 version cpe:2.3:a:jenkins:jenkins::*:*:*:lts < 2.89.4

Configuration #3

    CPE23 From Up To
  Oracle Communications Cloud Native Core Automated Test Suite 1.9.0 cpe:2.3:a:oracle:communications_cloud_native_core_automated_test_suite:1.9.0