Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.

Affected Packages

Maven org.jenkins-ci.plugins:aws-codecommit-trigger

Affected versions: 0 (last affected: 3.0.12)

Related CVEs

CVE-2023-35147

Key Information

GHSA ID

GHSA-whgj-6m78-2gg9

Published

June 14, 2023 3:30 PM

Last Modified

January 30, 2024 11:02 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:aws-codecommit-trigger

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.