Because of a misconfiguration of a default option in the CLI command parser, a attacker can read arbitrary files
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
- Jenkins < 2.442
- Jenkins LTS Edition < 2.426.3
The Security Advisory states the following:
- Attackers with Overall/Read permission can read the entire file
- Attackers without Overall/Read permission can read the first few lines of a file, depending on available CLI commands
I have not been able to reproduce either of this, so the parsing of the output may be wrong in some cases. Use --raw if you feel like this is the case.