GHSA-4pw5-r58h-fv24
GitHub Security Advisory
Path traversal vulnerability on Windows in Jenkins
✓ GitHub Reviewed
MODERATE
Has CVE
Advisory Details
The file browser for workspaces, archived artifacts, and `userContent/` in Jenkins 2.314 and earlier, LTS 2.303.1 and earlier may interpret some paths to files as absolute on Windows.
This results in a path traversal vulnerability allowing attackers with Overall/Read permission (Windows controller) or Job/Workspace permission (Windows agents) to obtain the contents of arbitrary files.\n\nThe file browser in Jenkins 2.315, LTS 2.303.2 refuses to serve files that would be considered absolute paths.
Affected Packages
Maven
org.jenkins-ci.main:jenkins-core
Affected versions:
0
(fixed in 2.303.2)
Maven
org.jenkins-ci.main:jenkins-core
Affected versions:
2.304
(fixed in 2.315)
Related CVEs
Key Information
5.0
/10
Dataset
Last updated: August 24, 2025 6:28 AM
Data from GitHub Advisory Database. This information is provided for research and educational purposes.