CVE-2023-24455: Path Traversal in Jenkins visualexpert Plugin

January 26, 2023 (updated January 27, 2023)

Jenkins visualexpert Plugin 1.3 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Item/Configure permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

References

github.com/advisories/GHSA-8mmh-h4jh-2g34
nvd.nist.gov/vuln/detail/CVE-2023-24455
www.jenkins.io/security/advisory/2023-01-24/

Detect and mitigate CVE-2023-24455 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →