CVE-2024-54004: Jenkins Filesystem List Parameter Plugin has Path Traversal vulnerability

November 27, 2024

Jenkins Filesystem List Parameter Plugin 0.0.14 and earlier does not restrict the path used for the File system objects list Parameter.

This allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system.

Filesystem List Parameter Plugin 0.0.15 ensures that paths used by the File system objects list Parameter are restricted to an allow list, with the default base directory set to $JENKINS_HOME/userContent/. The allow list can be configured to include additional custom base directories.

References

github.com/advisories/GHSA-fwxq-3f52-5cmc
nvd.nist.gov/vuln/detail/CVE-2024-54004
www.jenkins.io/security/advisory/2024-11-27/

Code Behaviors & Features

Detect and mitigate CVE-2024-54004 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →