Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller, allowing attackers with Item/Configure permission to determine whether a path on the Jenkins controller file system exists, without being able to access it.

Affected Packages

Maven org.jenkins-ci.plugins:htmlpublisher

Affected versions: 0 (fixed in 1.32.1)

Related CVEs

CVE-2024-28151

Key Information

GHSA ID

GHSA-478x-m3mx-7j3f

Published

March 6, 2024 6:30 PM

Last Modified

October 31, 2024 7:15 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:htmlpublisher

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.