Allele Security Alert
ASA-2018-00088, CVE-2018-1000862, SECURITY-904
Workspace browser allowed accessing files outside the workspace
Jenkins LTS 2.138.4 or 2.150.1
Proof of concept
The file browser for workspaces, archived artifacts, and $JENKINS_HOME/userContent/ followed symbolic links to locations outside the directory being browsed.
While builds typically have access to the file system outside the workspace allocated by Jenkins, this should not extend to beyond the execution of a build on that agent. Notably, the configuration may have been changed to not allow a build to run on a given agent, but the workspace used during the previous execution still exists, and could allow browsing the file system outside the workspace.
Apple Information Security
Jenkins Security Advisory 2018-12-05
CloudBees Security Advisory 2018-12-05
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 6, 2019