Main Vulnerability Database Vulnerabilities #VU22918

#VU22918 Path traversal in Support Core - CVE-2019-16540

Published: November 22, 2019

Vulnerability identifier: #VU22918

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-16540

CWE-ID: CWE-22

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Support Core

Software vendor:
Jenkins

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to the affected plugin does not validate the paths submitted for the "Delete Support Bundles" feature. A remote authenticated attacker can send a specially crafted HTTP request and delete arbitrary files on the Jenkins master file system accessible to the OS user account running Jenkins.

Remediation

Install updates from vendor's website.

External links

https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1634

#VU22918 Path traversal in Support Core - CVE-2019-16540

Description

Remediation

External links

Please verify you're human