1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-3303

[JENKINS:SECURITY-3303] Path traversal vulnerability in `htmlpublisher`

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

htmlpublisher 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller.
Attackers with Item/Configure permission can use them to determine whether a path on the Jenkins controller file system exists, without being able to access it.

htmlpublisher 1.32.1 does not archive symbolic links.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/htmlpublisher <= 1.32
pkg:github/jenkinsci/htmlpublisher-plugin <= 1.32
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/htmlpublisher = 1.32.1
pkg:github/jenkinsci/htmlpublisher-plugin = 1.32.1
ID
JENKINS:SECURITY-3303
Severity
medium
Published
2024-03-06T00:00:00
(6 months ago)
Modified
2024-03-06T00:00:00
(6 months ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository htmlpublisher repository https://github.com/jenkinsci/htmlpublisher-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/htmlpublisher org.jenkins-ci.plugins htmlpublisher <= 1.32
Fixed pkg:maven/org.jenkins-ci.plugins/htmlpublisher org.jenkins-ci.plugins htmlpublisher = 1.32.1
Affected pkg:github/jenkinsci/htmlpublisher-plugin jenkinsci htmlpublisher-plugin <= 1.32
Fixed pkg:github/jenkinsci/htmlpublisher-plugin jenkinsci htmlpublisher-plugin = 1.32.1
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date