GHSA-q58j-fhj7-j6fg

Source

https://github.com/advisories/GHSA-q58j-fhj7-j6fg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-q58j-fhj7-j6fg/GHSA-q58j-fhj7-j6fg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q58j-fhj7-j6fg

Aliases

CVE-2021-21698

Published

2022-05-24T19:19:43Z

Modified

2024-02-16T08:20:52.779884Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Path traversal vulnerability in Jenkins Subversion Plugin allows reading arbitrary files

Details

Subversion Plugin 2.15.0 and earlier does not restrict the name of a file when looking up a subversion key file on the controller from an agent.

This allows attackers able to control agent processes to read arbitrary files on the Jenkins controller file system.

Subversion Plugin 2.15.1 checks for the presence of and prohibits directory separator characters as part of the file name, restricting it to the intended directory.

References

Affected packages

Maven / org.jenkins-ci.plugins:subversion

Package

Name: org.jenkins-ci.plugins:subversion; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/subversion

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.15.1

Affected versions

1.*

1.24

1.25

1.26

1.28

1.29

1.30

1.31

1.32

1.33

1.34

1.35

1.36

1.37

1.38

1.39

1.40

1.41

1.42

1.43

1.44

1.45

1.48

1.50

1.51

1.53

1.54

2.*

2.0-alpha-1

2.0-beta-1

2.0

2.1

2.2

2.3

2.4

2.4.1

2.4.2

2.4.3

2.4.4

2.4.5

2.5-beta-1

2.5-beta-2

2.5-beta-3

2.5-beta-4

2.5

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.6

2.7.1

2.7.1.1

2.7.2

2.8

2.9

2.10

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.6

2.11.0

2.11.1

2.12.0

2.12.1

2.12.2

2.13.0

2.13.1

2.13.2

2.14.0

2.14.1

2.14.2

2.14.3

2.14.4

2.14.5

2.15.0

Database specific

{
    "last_known_affected_version_range": "<= 2.15.0"
}