PRP: Jenkins CVE-2024-23904 Arbitrary File Read

[rootvector2]

• Identifier of the vulnerability: CVE-2024-23904
• Affected software: Jenkins Log Command Plugin
• Type of vulnerability: Arbitrary File Read (Unauthenticated)
• Requires authentication: No
• Language you would use for writing the plugin: Java (Templated plugin structure used in existing Tsunami HTTP-based detectors)

Resources:

• Jenkins Security Advisory (2024-01-24)
• NVD entry for CVE-2024-23904
• GitHub Advisory (GHSA-qjpf-2jhx-3758)

[github-actions]

Welcome to the Tsunami patch reward program!

Your issue has been added to our triage queue and will reviewed
shortly. The panel usually takes a decision once per week, so it
can take up to a week before you hear back from us.

Please, do not start the work until the panel has reached a
decision. Although we always welcome contributions, unapproved
work is not eligible for a reward.

~The Tsunami PRP team