skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
June 16, 2023

GHSL-2023-054: Unauthenticated arbitrary file read in Jenkins plugin 3.0.12 - CVE-2023-35147

GitHub Security Lab

Coordinated Disclosure Timeline


AWS CodeCommit Trigger Jenkins Plugin 3.0.12 and earlier does not restrict a file name path parameter in an HTTP endpoint, allowing authenticated attackers to read arbitrary files on the Jenkins controller file system.


AWS CodeCommit Trigger Plugin

Tested Version



Path traversal in (GHSL-2023-054)

The AWS CodeCommit Trigger Jenkins Plugin implements an action called SQSActivityAction, which exposes a method doDownload that is accessible via HTTP requests:


public void doDownload() throws IOException, ServletException {
    StaplerRequest request = Stapler.getCurrentRequest();
    StaplerResponse response = Stapler.getCurrentResponse();

    String name = request.getRestOfPath();
    File file = new File(this.activityDir.getPath() + "/" + name);
    if (file.exists()) {
        FileInputStream is = FileUtils.openInputStream(file);
        response.serveFile(request, is, 0L, 60_000L, file.length(), name);
    } else {
        response.getOutputStream().println("sorry, we not found it " + name.replace("/", ""));

name is obtained from the request path, and directly appended to a filesystem path that immediately gets served back to the user. By using path traversal sequences (../), an attacker can exploit this endpoint to access arbitrary files in the Jenkins controller filesystem.

This issue was found by the Uncontrolled data used in path expression CodeQL query.


This issue may lead to arbitrary file read.


This vulnerability could be exploited by making an authenticated GET request to a Jenkins server that has the AWS CodeCommit Trigger plugin installed, after configuring a job test that uses the “Build when a CodeCommit repository is updated and notifies a SQS queue” build trigger.

To obtain Jenkin’s credentials file:


To obtain /etc/passwd:





This issue was discovered and reported by GHSL team member @atorralba (Tony Torralba).


You can contact the GHSL team at, please include a reference to GHSL-2023-054 in any communication regarding this issue.