GHSA-367v-5ppj-2hrx

Source

https://github.com/advisories/GHSA-367v-5ppj-2hrx

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-367v-5ppj-2hrx/GHSA-367v-5ppj-2hrx.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-367v-5ppj-2hrx

Aliases

CVE-2025-53651

Published

2025-07-09T18:30:45Z

Modified

2025-07-09T23:46:04.960657Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Jenkins HTML Publisher Plugin vulnerability displays controller file system information in its logs

Details

Jenkins HTML Publisher Plugin 425 and earlier displays log messages that include the absolute paths of files archived during the Publish HTML reports post-build step, exposing information about the Jenkins controller file system in the build log.

HTML Publisher Plugin 427 displays only the parent directory name of files archived during the Publish HTML reports post-build step in its log messages.

Database specific

{
    "nvd_published_at": "2025-07-09T16:15:24Z",
    "github_reviewed": true,
    "github_reviewed_at": "2025-07-09T20:44:31Z",
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-36",
        "CWE-779"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:htmlpublisher

Package

Name: org.jenkins-ci.plugins:htmlpublisher; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/htmlpublisher

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

427

Affected versions

0.*

0.7

0.8

1.*

1.0

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

1.10

1.11

1.12

1.13

1.14

1.15

1.16

1.16.1

1.17

1.18

1.19

1.20

1.21

1.22-beta-1

1.22

1.23

1.24

1.25

1.26

1.27

1.28

1.29

1.30

1.31

1.32

1.32.1

1.33

1.34

1.35

1.36

1.37

424.*

424.va_e57f1253461

Other

425