Description
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
Remediation
References
Related Vulnerabilities
WordPress Plugin Thrive Dashboard Security Bypass (2.3.9.2)
WordPress Plugin WordPress Gallery-NextGEN Gallery Cross-Site Request Forgery (3.28)
MySQL CVE-2023-22111 Vulnerability (CVE-2023-22111)
WordPress Plugin arcResBookingWidget Multiple Vulnerabilities (1.0)
PHP Resource Management Errors Vulnerability (CVE-2015-4024)