[MAVEN:GHSA-PXGQ-GQR9-5GWX] Path traversal vulnerability in Jenkins agent names
Severity
High
Affected Packages
2
Fixed Packages
2
CVEs
1
Jenkins 2.274 and earlier, LTS 2.263.1 and earlier allows users with Agent/Configure permission to choose agent names that cause Jenkins to override unrelated config.xml
files. If the global config.xml
file is replaced, Jenkins will start up with unsafe legacy defaults after a restart.
Jenkins 2.275, LTS 2.263.2 ensures that agent names are considered valid names for items to prevent this problem.
In case of problems, this change can be reverted by setting the Java system property jenkins.model.Nodes.enforceNameRestrictions
to false
.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.main/jenkins-core | >= 2.264, < 2.275 |
pkg:maven/org.jenkins-ci.main/jenkins-core | < 2.263.2 |
Package | Fixed Version |
---|---|
pkg:maven/org.jenkins-ci.main/jenkins-core | = 2.275 |
pkg:maven/org.jenkins-ci.main/jenkins-core | = 2.263.2 |
- ID
- MAVEN:GHSA-PXGQ-GQR9-5GWX
- Severity
- high
- URL
- https://github.com/advisories/GHSA-pxgq-gqr9-5gwx
- Published
-
2022-05-24T17:39:13
(2 years ago) - Modified
-
2023-12-22T13:36:56
(9 months ago) - Rights
- Maven Security Team
- Other Advisories
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.main/jenkins-core | org.jenkins-ci.main | jenkins-core | >= 2.264 < 2.275 | |||
Fixed | pkg:maven/org.jenkins-ci.main/jenkins-core | org.jenkins-ci.main | jenkins-core | = 2.275 | |||
Affected | pkg:maven/org.jenkins-ci.main/jenkins-core | org.jenkins-ci.main | jenkins-core | < 2.263.2 | |||
Fixed | pkg:maven/org.jenkins-ci.main/jenkins-core | org.jenkins-ci.main | jenkins-core | = 2.263.2 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |