Acunetix DAST powers runtime capabilities for Invicti’s complete AppSec platform. Visit Invicti for more.

WEB APPLICATION VULNERABILITIES Standard & Premium

Jenkins Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2018-1000406)

Description

A path traversal vulnerability exists in Jenkins 2.145 and earlier, LTS 2.138.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java that allows attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.

Remediation

References

CVE-2018-1000406

Related Vulnerabilities

WordPress Plugin Header Footer Code Manager SQL Injection (1.1.13)

WordPress Plugin GS Logo Slider-Ticker, Grid, List, Table & Filter Views Cross-Site Scripting (3.3.7)

WordPress Plugin Tutor LMS-eLearning and online course solution Cross-Site Scripting (1.9.10)

WordPress Plugin NextGEN Gallery-WordPress Gallery PHP Object Injection (3.1.5)

WordPress Plugin ACF:Better Search Cross-Site Request Forgery (3.3.0)

Severity

Medium

Classification

CVE-2018-1000406 CWE-22 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Tags

Missing Update Known Vulnerabilities