Description

Jenkins Doktor Plugin 0.4.1 and earlier implements functionality that allows agent processes to render files on the controller as Markdown or Asciidoc, and error messages allow attackers able to control agent processes to determine whether a file with a given name exists.

Remediation

References

https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2548

Related Vulnerabilities

CVE-2020-36186 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2023-33001 Vulnerability in maven package com.datapipe.jenkins.plugins:hashicorp-vault-plugin

CVE-2023-45648 Vulnerability in maven package org.apache.tomcat:tomcat

CVE-2020-35476 Vulnerability in maven package net.opentsdb:opentsdb

CVE-2023-44270 Vulnerability in maven package org.webjars.npm:postcss

Severity

Medium

Classification

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Tags

Issue Tracking Patch Vendor Advisory NVD-CWE-noinfo