Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable Pipeline step with low complexity but requires Item/Configure (PR:L); arbitrary controller file read plus vendor-noted RCE path justifies C:H/I:H/A:H.
Primary rating from Vendor (jenkins).
CVSS VectorVendor: jenkins
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Jenkins External Workspace Manager Plugin 1.3.2 and earlier does not reject path traversal sequences in the custom workspace path provided to the exwsAllocate Pipeline step, allowing attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system, which can lead to remote code execution.
Articles & Coverage 2
AnalysisAI
Path traversal in the Jenkins External Workspace Manager Plugin (versions 1.3.2 and earlier) lets an attacker with Item/Configure permission supply traversal sequences in the custom workspace path of the exwsAllocate Pipeline step to read arbitrary files from the Jenkins controller filesystem, which the vendor notes can escalate to remote code execution. The flaw requires an authenticated low-privileged user (CVSS:3.1 PR:L, base 8.8) and is reported directly by the Jenkins security team. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to hold Jenkins Item/Configure permission, allowing them to define or modify a Pipeline that invokes the exwsAllocate step, and to supply a malicious custom workspace path containing path traversal sequences - this is an authenticated attack, not unauthenticated. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Signals are moderately consistent toward a real but gated risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | A developer with Item/Configure permission (or an attacker who has phished such an account) edits or creates a Pipeline job that calls exwsAllocate with a custom workspace path containing '../../' sequences pointing at sensitive controller files such as credentials.xml or the master key. When the pipeline runs, the plugin resolves the traversal and reads those files back, which the attacker can then use to recover credentials and pivot to remote code execution on the controller. … |
| Remediation | Apply the fix described in the Jenkins security advisory SECURITY-3777 (https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3777); the input data does not include an exact fixed version number, so treat the patch as 'available per vendor advisory' and upgrade to the version designated as fixed in that advisory rather than an assumed number. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Jenkins installations running External Workspace Manager Plugin version 1.3.2 or earlier and determine operational necessity. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38777
GHSA-hrmj-8fm9-cg8x