CVE-2024-28151 in HTML Publisher Plugin
Summary
by MITRE • 03/06/2024
Jenkins HTML Publisher Plugin 1.32 and earlier archives invalid symbolic links in report directories on agents and recreates them on the controller, allowing attackers with Item/Configure permission to determine whether a path on the Jenkins controller file system exists, without being able to access it.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 10/31/2024
The vulnerability identified as CVE-2024-28151 affects the Jenkins HTML Publisher Plugin version 1.32 and earlier, presenting a significant information disclosure risk within Jenkins environments. This flaw arises from improper handling of symbolic links during the archiving process of HTML reports, creating a pathway for attackers to perform reconnaissance on the Jenkins controller's file system. The vulnerability specifically manifests when the plugin archives symbolic links from agent nodes and subsequently recreates them on the controller, establishing a mechanism for path enumeration without direct access to the files or directories.
The technical implementation of this vulnerability stems from the plugin's failure to properly validate or sanitize symbolic link targets during the archival process. When an attacker with Item/Configure permissions creates or modifies HTML reports containing symbolic links, the plugin processes these links by copying their metadata to the controller while preserving the original target paths. This behavior enables attackers to determine the existence of specific file system paths on the controller without being able to read or access the contents of those paths. The flaw operates at the intersection of file system operations and privilege escalation, leveraging the legitimate plugin functionality to create unintended information leakage.
The operational impact of this vulnerability extends beyond simple information disclosure, as it provides attackers with valuable reconnaissance data that can be used to map the Jenkins controller's file system structure. This capability can significantly aid in planning further attacks, as attackers can identify sensitive directories, configuration files, or potential targets for exploitation. The vulnerability affects organizations that rely on Jenkins for continuous integration and delivery processes, particularly those with multiple agents and complex build environments where symbolic links are commonly used for report generation and artifact management.
Security practitioners should recognize this vulnerability as a variant of information disclosure issues classified under CWE-200, which deals with information exposure through improper error handling or data flow. The attack pattern aligns with techniques described in the MITRE ATT&CK framework under T1083 (File and Directory Discovery) and T1213 (Data from Information Repositories), where adversaries seek to understand system structures and locate valuable data. Organizations should implement immediate mitigations including updating to the patched version of the HTML Publisher Plugin, restricting Item/Configure permissions to only trusted users, and monitoring for suspicious symbolic link creation activities. Additional controls such as network segmentation, file system access controls, and regular security audits can further reduce the risk exposure associated with this vulnerability.