RELEASED: Public: March 8, 2023
Security fixes
- Symlinks were followed when generating a backup in zip format (BEE-29575)
-
When using the backup plugin to generate a backup file in zip format, symlinks were followed instead of ignored or archived. This behavior allowed attackers to create symlinks on the Jenkins controller file system inside one of the directories being backed up to add additional files from the Jenkins controller file system.
This issue has been resolved. Symlinks are now stored as symlinks inside zip archives.