PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-4987 Jenkins CVE debrief

CVE-2016-4987 is a directory traversal issue in the Jenkins Image Gallery plugin before version 1.4. According to the CVE description, a remote attacker could use unspecified form fields to list arbitrary directories and read arbitrary files. The official NVD record classifies the weakness as CWE-22 and assigns a medium severity score.

Vendor
Jenkins
Product
CVE-2016-4987
CVSS
MEDIUM 6.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-09
Original CVE updated
2026-05-13
Advisory published
2017-02-09
Advisory updated
2026-05-13

Who should care

Administrators of Jenkins instances that use the Image Gallery plugin, especially environments that have not confirmed the plugin is at version 1.4 or later. Security teams should also care if Jenkins plugins are installed broadly across development or build infrastructure, since file disclosure can expose configuration, secrets, or other sensitive data.

Technical summary

The vulnerability is a path traversal / directory traversal flaw in the Jenkins Image Gallery plugin before 1.4. The NVD record indicates CWE-22 and a CVSS v3.1 vector of AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, which suggests network reachability, low attack complexity, low privileges required, no user interaction, and high confidentiality impact. The CVE description states that attackers could list directories and read arbitrary files via unspecified form fields.

Defensive priority

Medium. This is not listed as a known exploited vulnerability in the supplied corpus, but the confidentiality impact is high and the affected component is a Jenkins plugin, so remediation should still be prioritized in environments that expose Jenkins or store sensitive build data.

Recommended defensive actions

  • Confirm whether the Jenkins Image Gallery plugin is installed and whether the version is earlier than 1.4.
  • Upgrade the plugin to version 1.4 or later, or remove the plugin if it is not required.
  • Review Jenkins access controls so only trusted users can reach plugin functionality that handles file or path input.
  • Check for exposed sensitive files or unexpected file access in Jenkins logs and surrounding audit records.
  • If exposure is suspected, rotate credentials or secrets that may have been accessible through readable files.

Evidence notes

The CVE description supplied with the record states: 'Directory traversal vulnerability in the Image Gallery plugin before 1.4 in Jenkins allows remote attackers to list arbitrary directories and read arbitrary files via unspecified form fields.' The NVD metadata supplied in the source corpus maps the issue to CWE-22 and lists the vulnerable CPE range as jenkins:image_gallery versions before 1.4. The official vendor advisory reference is the Jenkins Security Advisory dated 2016-06-20.

Official resources

CVE published 2017-02-09T15:59:01.067Z; the supplied source record was last modified 2026-05-13T00:24:29.033Z. The vendor advisory reference in the corpus is dated 2016-06-20.