Arbitrary File Disclosure in Jenkins AWS CodeCommit Trigger Plugin

Arbitrary File Disclosure in Jenkins AWS CodeCommit Trigger Plugin

CVE-2023-35147 · MEDIUM Severity

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Jenkins AWS CodeCommit Trigger Plugin 3.0.12 and earlier does not restrict the AWS SQS queue name path parameter in an HTTP endpoint, allowing attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system.

Learn more about our Aws Audit.