CVE-2019-10352 in Jenkins
Summary
by MITRE
A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 11/01/2023
This vulnerability resides in the core file parameter handling mechanism of Jenkins prior to versions 2.185 and LTS 2.176.1. The flaw exists within the FileParameterValue.java class where the application fails to properly validate file paths submitted through job configurations. Attackers with minimal permissions can exploit this by crafting malicious file parameter names that contain directory traversal sequences such as ../ or ..\ that allow them to write files outside of the intended target directory. The vulnerability specifically affects the Jenkins master server where builds are executed, creating a critical security risk that can be leveraged for arbitrary code execution or data manipulation.
The technical implementation of this path traversal flaw occurs when Jenkins processes file parameters during build scheduling operations. When a user with Job/Configure permission creates a file parameter with a specially crafted filename containing path traversal sequences, the system does not properly sanitize these paths before writing files to the master server's filesystem. This allows attackers to bypass normal file access controls and write files to arbitrary locations on the master server, potentially including critical system directories or configuration files. The vulnerability is classified as CWE-22 Path Traversal and represents a direct violation of secure file handling practices.
The operational impact of this vulnerability is severe as it enables attackers to perform arbitrary file writes on the Jenkins master server, which typically runs with elevated privileges. This capability can be exploited to upload malicious files such as shell scripts, web shells, or modified configuration files that could lead to complete system compromise. Attackers could also overwrite critical Jenkins components or configuration files, potentially causing denial of service or creating persistent backdoors. The vulnerability is particularly dangerous because it requires only Job/Configure permissions, which are often granted to developers and build operators, making it accessible to a wide range of authenticated users within the organization.
Mitigation strategies for this vulnerability include immediate patching to versions 2.185 or LTS 2.176.1 and later where the path traversal validation has been properly implemented. Organizations should also implement additional security controls such as restricting Job/Configure permissions to only trusted administrators, implementing proper file access controls on the Jenkins master server, and monitoring for unusual file creation patterns. The ATT&CK framework categorizes this type of vulnerability under T1059 Command and Scripting Interpreter and T1078 Valid Accounts, as it leverages legitimate administrative permissions to achieve unauthorized file system access. Regular security audits and privilege reviews should be conducted to minimize the attack surface and prevent unauthorized users from obtaining the necessary permissions to exploit this vulnerability.