Description
Jenkins Copy data to workspace Plugin 1.0 and earlier does not limit which directories can be copied from the Jenkins controller to job workspaces, allowing attackers with Job/Configure permission to read arbitrary files on the Jenkins controller.
Remediation
References
https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-1966
http://www.openwall.com/lists/oss-security/2020/09/16/3
Related Vulnerabilities
CVE-2020-2247 Vulnerability in maven package org.jenkins-ci.plugins:klocwork
CVE-2021-21307 Vulnerability in maven package org.lucee:lucee
CVE-2023-2633 Vulnerability in maven package org.jenkins-ci.plugins:codedx
CVE-2016-3101 Vulnerability in maven package org.jenkins-ci.plugins:extra-columns
CVE-2023-40337 Vulnerability in maven package org.jenkins-ci.plugins:cloudbees-folder