Description
Jenkins Scriptler Plugin 342.v6a_89fd40f466 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing attackers with Scriptler/Configure permission to delete arbitrary files on the Jenkins controller file system.
Remediation
References
https://www.jenkins.io/security/advisory/2023-12-13/#SECURITY-3205
http://www.openwall.com/lists/oss-security/2023/12/13/4
Related Vulnerabilities
CVE-2015-2575 Vulnerability in maven package mysql:mysql-connector-java
CVE-2022-24785 Vulnerability in maven package org.webjars.npm:moment
CVE-2022-34806 Vulnerability in maven package org.jenkins-ci.plugins:jigomerge
CVE-2018-11804 Vulnerability in maven package org.apache.spark:spark-core_2.11
CVE-2023-40572 Vulnerability in maven package org.xwiki.platform:xwiki-platform-oldcore