All the vulnerabilites related to Jenkins Project - Jenkins Log Command Plugin
cve-2024-23904
Vulnerability from cvelistv5
Published
2024-01-24 17:52
Modified
2024-08-01 23:13
Severity ?
Summary
Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system.
Impacted products
Vendor Product Version
Show details on NVD website


{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T23:13:08.430Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "Jenkins Security Advisory 2024-01-24",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3334"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2024/01/24/6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unknown",
          "product": "Jenkins Log Command Plugin",
          "vendor": "Jenkins Project",
          "versions": [
            {
              "lessThanOrEqual": "1.0.2",
              "status": "affected",
              "version": "0",
              "versionType": "maven"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an \u0027@\u0027 character followed by a file path in an argument with the file\u0027s contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-01-24T17:52:27.324Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "name": "Jenkins Security Advisory 2024-01-24",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3334"
        },
        {
          "url": "http://www.openwall.com/lists/oss-security/2024/01/24/6"
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2024-23904",
    "datePublished": "2024-01-24T17:52:27.324Z",
    "dateReserved": "2024-01-23T12:46:51.265Z",
    "dateUpdated": "2024-08-01T23:13:08.430Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}