VYPR
← All advisories
High severity7.5NVD Advisory· Published Feb 9, 2017· Updated May 13, 2026

CVE-2016-4986

CVE-2016-4986

Description

Directory traversal vulnerability in the TAP plugin before 1.25 in Jenkins allows remote attackers to read arbitrary files via an unspecified parameter.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.tap4j:tapMaven
< 1.251.25

Affected products

1
  • Jenkins/Tap
    cpe:2.3:a:jenkins:tap:*:*:*:*:*:jenkins:*:*
    Range: <1.25

Patches

1
8e2a3aa86ce5

[SECURITY-85] CVE-2016-4986 Prevent tap-plugin from reading files outside of the workspace's tap directory

https://github.com/jenkinsci/tap-pluginBruno P. KinoshitaJun 20, 2016via ghsa
commit
1 file changed · +3 1
  • src/main/java/org/tap4j/plugin/TapResult.java+3 1 modified
    @@ -56,6 +56,7 @@
 import hudson.FilePath;

 import hudson.model.AbstractBuild;

 import hudson.model.ModelObject;

+import hudson.tasks.test.TestObject;

 

 /**

  * @author Bruno P. Kinoshita - http://www.kinoshita.eti.br

@@ -307,7 +308,8 @@ public void doDownloadAttachment(StaplerRequest request, StaplerResponse respons
         String f = request.getParameter("f");

         String key = request.getParameter("key");

         try {

-            FilePath tapDir = new FilePath(new FilePath(new File(build.getRootDir(), Constants.TAP_DIR_NAME)), f);

+            FilePath parent = new FilePath(new File(build.getRootDir(), Constants.TAP_DIR_NAME));

+            FilePath tapDir = parent.child(TestObject.safe(f));

             ServletOutputStream sos = response.getOutputStream();

             if(tapDir.exists()) {

                 String tapStream = tapDir.readToString();

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.