CVE-2024-23900

CWE-22Path TraversalCWE-236 documents6 sources
Severity
4.3MEDIUM
EPSS
0.1%
top 81.70%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Matrix Project PluginJenkins Matrix Project
Timeline
PublishedJan 24

Description

Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

Mavenorg.jenkins-ci.plugins:matrix-project< 822.824.v14451b
CVEListV5jenkins_project/jenkins_matrix_project_plugin822.v01b_8c85d16d2
NVDjenkins/matrix_project822.v01b_8c85d16d2

🔴Vulnerability Details

3
GHSA
Path traversal vulnerability in Jenkins Matrix Project Plugin2024-01-24
OSV
Path traversal vulnerability in Jenkins Matrix Project Plugin2024-01-24
CVEList
CVE-2024-23900: Jenkins Matrix Project Plugin 8222024-01-24

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2024-01-242024-01-24
Red Hat
jenkins-2-plugins: matrix-project plugin path traversal vulnerability2024-01-09
CVE-2024-23900 (MEDIUM CVSS 4.3) | Jenkins Matrix Project Plugin 822.v | cvebase.io