CVE-2023-35147: Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with…

medium6.5CVSS 3.1

AVNACLPRLUINSUCHINAN

Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.

Affected

13 ranges

Vendor	Product	Version range	Fixed in
jenkins	aws_codecommit_trigger	<= 3.0.12	—
jenkins	aws_codecommit_trigger_plugin	—	—
jenkins	checkmarx_plugin	—	—
jenkins	digital.ai_app_management_publisher_plugin	—	—
jenkins	dimensions_plugin	—	—
jenkins	jenkins_core	—	—
jenkins	jenkins_lts	—	—
jenkins	jenkins_weekly	—	—
jenkins	maven_repository_server_plugin	—	—
jenkins	sonargraph_integration_plugin	—	—
jenkins	team_concert_plugin	—	—
jenkins	template_workflows_plugin	—	—
jenkins_project	jenkins_aws_codecommit_trigger_plugin	<= 3.0.12	—