CVE-2023-35147: 
Java vulnerability analysis and mitigation

Jenkins AWS CodeCommit Trigger Plugin version 3.0.12 and earlier contains a vulnerability (CVE-2023-35147) that was disclosed on June 14, 2023. The vulnerability affects the AWS SQS queue name path parameter in an HTTP endpoint, which fails to implement proper path restrictions (Jenkins Advisory, GitHub Lab).

The vulnerability exists in the SQSActivityAction.java file, specifically in the doDownload method. The method accepts a file name path parameter from HTTP requests without proper validation. When processing the request, the plugin directly appends the user-provided path to the filesystem path and serves the resulting file back to the user. This implementation allows for path traversal attacks using '../' sequences (GitHub Lab). The vulnerability has been assigned a CVSS v3.1 Base Score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows attackers with Item/Read permission to obtain the contents of arbitrary files on the Jenkins controller file system. This could lead to unauthorized access to sensitive information, including system files and configuration data (Jenkins Advisory).

As of the advisory publication date, there is no fix available for this vulnerability in the AWS CodeCommit Trigger Plugin (Jenkins Advisory). Organizations should assess the risk and consider implementing additional access controls or monitoring mechanisms until a patch becomes available.

The vulnerability was discovered and reported by Tony Torralba from the GitHub Security Lab team. The issue was initially reported to the Jenkins Security Team on March 28, 2023, and was publicly disclosed on June 14, 2023 (GitHub Lab).