CVE-2024-54004: 
Java vulnerability analysis and mitigation

The Filesystem List Parameter Plugin for Jenkins, versions 0.0.14 and earlier, contains a path traversal vulnerability (CVE-2024-54004) that was disclosed on November 27, 2024. This security flaw affects the File system objects list Parameter functionality within the plugin, impacting Jenkins installations using the vulnerable versions (Jenkins Advisory, NVD).

The vulnerability is classified as a path traversal issue (CWE-22) with a CVSS v3.1 base score of 4.3 (Medium). The security flaw stems from the plugin's failure to properly restrict the path used for the File system objects list Parameter, which could allow unauthorized access to file system information (Jenkins Advisory, CISA-ADP).

When exploited, this vulnerability allows attackers with Item/Configure permission to enumerate file names on the Jenkins controller file system. This could potentially expose sensitive information about the file system structure and contents to unauthorized users (Jenkins Advisory, GBHackers).

The vulnerability has been patched in Filesystem List Parameter Plugin version 0.0.15. The fix implements path restrictions using an allow list, with the default base directory set to $JENKINS_HOME/userContent/. Administrators can configure additional custom base directories as needed. Users are strongly advised to upgrade to version 0.0.15 to address this security issue (Jenkins Advisory).