CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-28151: Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the...

Description

Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller, allowing attackers with Item/Configure permission to determine whether a path on the Jenkins controller file system exists, without being able to access it.

Classification

CVE ID: CVE-2024-28151

Affected Products

Vendor: Jenkins Project

Product: Jenkins HTML Publisher Plugin

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 13.16% (scored less or equal to compared to others)

EPSS Date: 2025-03-14 (when was this score calculated)

References

https://www.jenkins.io/security/advisory/2024-03-06/#SECURITY-3303
http://www.openwall.com/lists/oss-security/2024/03/06/3

Timeline

2025-02-14 00:31:48 UTC
CVE

Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the...