VDB
EN
HIGH 8.8

GHSA-mq58-m26g-46gp

Jenkins Email Extension Plugin: Attackers able to control email content may specify `file:` URLs for images to read arbitrary files from Jenkins controller filesystem

상세

Jenkins Email Extension Plugin 1933.v45cec755423f and earlier includes a feature that allows inlining images as `base64` in email content by setting the `data-inline` attribute. No restrictions are placed on the image URLs that can be inlined.

This allows attackers able to control the email content to specify `file:` URLs for images to read arbitrary files from the Jenkins controller filesystem.

The feature allowing inlining images as `base64` in email content by setting the `data-inline` attribute is removed from Email Extension Plugin 1933.1935.v276319e3cc47.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

Maven / org.jenkins-ci.plugins:email-ext
최초 영향 버전: 0 수정 버전: 1933.1935.v276319e3cc47
수정 # pom.xml: bump <version>1933.1935.v276319e3cc47</version> for org.jenkins-ci.plugins:email-ext

참고