CVE-2018-1000175

Vulnerability

A path traversal vulnerability exists in the Jenkins HTML Publisher Plugin, version 1.15 and older, within the HtmlPublisherTarget.java file [1][2]. This flaw allows an attacker who can configure the HTML Publisher build step to specify a path that escapes the intended report directory, enabling the overwrite of arbitrary files on the Jenkins master server. The plugin is used to publish HTML reports generated by builds to job and build pages, and it can be configured in both Freestyle and Pipeline jobs [3].

Exploitation

An attacker needs the ability to configure the HTML Publisher build step, which typically requires Job/Configure permission [2]. By crafting a malicious path in the "HTML directory to archive" field, the attacker can traverse directories outside the intended workspace [1]. No user interaction beyond the initial configuration is required, and the exploitation occurs during the build process when the plugin archives the report.

Impact

Successful exploitation allows an attacker to overwrite arbitrary files on the Jenkins master, potentially leading to severe consequences such as data corruption, unauthorized modification of Jenkins configuration, or arbitrary code execution if critical files (e.g., config.xml, plugin jars) are overwritten [1][2]. The attacker gains the ability to compromise the integrity and availability of the Jenkins master.

Mitigation

The vulnerability is fixed in HTML Publisher Plugin version 1.16, released on 2018-04-16 as part of the Jenkins security advisory [2]. Users are strongly advised to upgrade to version 1.16 or later. As no workaround is documented, upgrading is the only mitigation [2].