Main Vulnerability Database Vulnerabilities #VU85792

Path traversal in Matrix Project - CVE-2024-23900

Published: January 25, 2024

Vulnerability identifier: #VU85792

CSH Severity: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2024-23900

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Matrix Project

Software vendor:
Jenkins

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to the affected plugin does not sanitize user-defined axis names of multi-configuration projects submitted through the config.xml REST API endpoint. A remote user can create or replace any config.xml file on the Jenkins controller file system with content not controllable by the attackers.

Remediation

Install update from vendor's website.

External links

https://www.jenkins.io/security/advisory/2024-01-24/#SECURITY-3289
http://www.openwall.com/lists/oss-security/2024/01/24/6

Path traversal in Matrix Project - CVE-2024-23900

Description

Remediation

External links

Please verify you're human