CVE-2018-6356
N/A
N/A
Summary
Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent specifying relative paths that escape a base directory for URLs accessing plugin resource files. This allowed users with Overall/Read permission to download files from the Jenkins master they should not have access to. On Windows, any file accessible to the Jenkins master process could be downloaded. On other operating systems, any file within the Jenkins home directory accessible to the Jenkins master process could be downloaded.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- http://www.openwall.com/lists/oss-security/2018/02/14/1
- http://www.securityfocus.com/bid/103037
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://jenkins.io/security/advisory/2018-02-14/
References
- http://www.openwall.com/lists/oss-security/2018/02/14/1
- http://www.securityfocus.com/bid/103037
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://jenkins.io/security/advisory/2018-02-14/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.