CVE-2024-23900
published 2024-01-24CVE-2024-23900: Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with…
medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
Jenkins Matrix Project Plugin 822.v01b_8c85d16d2 and earlier does not sanitize user-defined axis names of multi-configuration projects, allowing attackers with Item/Configure permission to create or replace any config.xml files on the Jenkins controller file system with content not controllable by the attackers.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | git_server_plugin | — | — |
| jenkins | gitlab_branch_source_plugin | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_uses_the_strict_crumb_issuer_plugin | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | log_command_plugin | — | — |
| jenkins | matrix_project | <= 822.v01b_8c85d16d2 | — |
| jenkins | matrix_project_plugin | — | — |
| jenkins | qualys_policy_compliance_scanning_connector_plugin | — | — |
| jenkins | red_hat_dependency_analytics_plugin | — | — |
| jenkins_project | jenkins_matrix_project_plugin | <= 822.v01b_8c85d16d2 | — |