CVE-2024-28151 — Jenkins HTML Publisher Plugin Path traversal vulnerability

Description

Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller, allowing attackers with Item/Configure permission to determine whether a path on the Jenkins controller file system exists, without being able to access it.

How to fix CVE-2024-28151

To remediate CVE-2024-28151, upgrade the affected package to a fixed version below.

—upgrade to 1.32.1 or later

Is CVE-2024-28151 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.32.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-28151
PATCHgithub.com/jenkinsci/htmlpublisher-plugin
WEBgithub.com/jenkinsci/htmlpublisher-plugin/commit/6b840248dd0d691bbac9b515cd750b3f925909b2
WEBwww.jenkins.io/security/advisory/2024-03-06/#SECURITY-3303