Miggo Logo
Miggo Vulnerability Database
CVE-2016-4987

CVE-2016-4987:
Jenkins Image Gallery Plugin allows Path Traversal

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2016-4987
GHSA ID
GHSA-8xr3-54w2-8xjp
EPSS Score
0.61466%
CWE
CWE-22
Published
5/13/2022
Updated
3/13/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.tupilabs.image_gallery:image-gallerymaven< 1.41.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key issues:

  1. The original getRelativeFrom method manually traversed parent directories without using secure path resolution, making it susceptible to path traversal.
  2. createImageGallery accepted user-controlled 'baseRootFolder' input without verifying it was contained within the artifacts directory. The patch added Path normalization and the isChild() check to address these issues, confirming these functions were the attack vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*ir**tory tr*v*rs*l vuln*r**ility in t** Im*** **ll*ry plu*in ***or* *.* in J*nkins *llows r*mot* *tt**k*rs to list *r*itr*ry *ir**tori*s *n* r*** *r*itr*ry *il*s vi* unsp**i*i** *orm *i*l*s.

Reasoning

T** vuln*r**ility st*ms *rom two k*y issu*s: *. T** ori*in*l **tR*l*tiv**rom m*t*o* m*nu*lly tr*v*rs** p*r*nt *ir**tori*s wit*out usin* s**ur* p*t* r*solution, m*kin* it sus**pti*l* to p*t* tr*v*rs*l. *. *r**t*Im*****ll*ry ****pt** us*r-*ontroll** '*