Candidate: CVE-2018-6356
PublicDate: 2018-02-20 15:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6356
Description:
 Jenkins before 2.107 and Jenkins LTS before 2.89.4 did not properly prevent
 specifying relative paths that escape a base directory for URLs accessing
 plugin resource files. This allowed users with Overall/Read permission to
 download files from the Jenkins master they should not have access to. On
 Windows, any file accessible to the Jenkins master process could be
 downloaded. On other operating systems, any file within the Jenkins home
 directory accessible to the Jenkins master process could be downloaded.
Ubuntu-Description:
Notes:
Bugs:
Priority: untriaged
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N [6.5 MEDIUM]


Patches_jenkins:
upstream_jenkins: needs-triage
precise/esm_jenkins: DNE
trusty_jenkins: DNE
trusty/esm_jenkins: DNE
xenial_jenkins: DNE
artful_jenkins: DNE
devel_jenkins: DNE