Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an '@' character followed by a file path in an argument with the file's contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.13 Via RHSA-2024:0776 https://access.redhat.com/errata/RHSA-2024:0776
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.12 Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778
This issue has been addressed in the following products: OpenShift Developer Tools and Services for OCP 4.11 Via RHSA-2024:0775 https://access.redhat.com/errata/RHSA-2024:0775