Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system.

Affected Packages

Maven org.jenkins-ci.plugins:log-command

Affected versions: 0 (last affected: 1.0.2)

Related CVEs

CVE-2024-23904

Key Information

GHSA ID

GHSA-qjpf-2jhx-3758

Published

January 24, 2024 6:31 PM

Last Modified

January 29, 2024 9:53 PM

CVSS Score

7.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:log-command

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.