CVE-2023-24449: Path traversal vulnerability in Jenkins PWauth Security Realm Plugin

January 26, 2023 (updated January 27, 2023)

Jenkins PWauth Security Realm Plugin 0.4 and earlier does not restrict the names of files in methods implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

References

github.com/advisories/GHSA-5xpc-c4xv-7w62
nvd.nist.gov/vuln/detail/CVE-2023-24449
www.jenkins.io/security/advisory/2023-01-24/

Detect and mitigate CVE-2023-24449 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →