CVE-2024-23904
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
24/01/2024
Last modified:
20/06/2025
Description
Jenkins Log Command Plugin 1.0.2 and earlier does not disable a feature of its command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read content from arbitrary files on the Jenkins controller file system.
Impact
Base Score 3.x
7.50
Severity 3.x
HIGH
Vulnerable products and versions
CPE | From | Up to |
---|---|---|
cpe:2.3:a:jenkins:log_command:*:*:*:*:*:jenkins:*:* | 1.0.2 (including) |
To consult the complete list of CPE names with products and versions, see this page