Description
FilePath#renameTo and FilePath#moveAllChildrenTo in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier only check 'read' agent-to-controller access permission on the source path, instead of 'delete'.
Remediation
References
Related Vulnerabilities
MySQL CVE-2016-5507 Vulnerability (CVE-2016-5507)
WordPress Plugin Vertical SlideShow 'upload.php' Arbitrary File Upload (2.1)
Moodle Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2017-12157)
Drupal Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2008-3744)
Oracle Database Server CVE-2023-22052 Vulnerability (CVE-2023-22052)