Miggo Logo
Miggo Vulnerability Database
CVE-2014-3664

CVE-2014-3664: Jenkins Path Traversal vulnerability

4

CVSS Score

Basic Information

CVE ID
CVE-2014-3664
GHSA ID
GHSA-3gp5-92h5-h855
EPSS Score
0.47935%
CWE
CWE-22
Published
5/17/2022
Updated
2/8/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
AV:N/AC:L/Au:S/C:P/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:jenkins-coremaven>= 1.566, < 1.5831.583
org.jenkins-ci.main:jenkins-coremaven< 1.565.31.565.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability involves directory traversal through unspecified vectors (CVE-2014-3664) for authenticated users. Analysis of Jenkins' architecture indicates:

  1. Stapler framework's file serving methods (serveLocalizedFile) are primary candidates for path traversal flaws
  2. PluginServlet's resource handling is another common attack surface
  3. Security advisory specifically calls out 'files readable by Jenkins process' exposure
  4. Patched versions (1.583/LTS 1.565.3) would have added path normalization/sandboxing in these areas
  5. Historical Jenkins vulnerabilities (CVE-2014-3667) show similar patterns in plugin resource handling

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ir**tory tr*v*rs*l vuln*r**ility in J*nkins ***or* *.*** *n* LTS ***or* *.***.* *llows r*mot* *ut**nti**t** us*rs wit* t** Ov*r*ll/R*** p*rmission to r*** *r*itr*ry *il*s vi* unsp**i*i** v**tors.

Reasoning

T** vuln*r**ility involv*s *ir**tory tr*v*rs*l t*rou** unsp**i*i** v**tors (*V*-****-****) *or *ut**nti**t** us*rs. *n*lysis o* J*nkins' *r**it**tur* in*i**t*s: *. St*pl*r *r*m*work's *il* s*rvin* m*t*o*s (s*rv*Lo**liz***il*) *r* prim*ry **n*i**t*s *