GHSA-23h5-8ph6-7rfc

Опубликовано: 16 фев. 2022

Источник: github

Github: Прошло ревью

CVSS3: 4.3

Описание

Path traversal vulnerability in Jenkins Fortify Plugin

Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps, which are used to write to files inside build directories.

This allows attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system with content not controllable by the attacker.

Jenkins Fortify Plugin 20.2.35 sanitizes the appName and appVersion parameters of its Pipeline steps when determining the resulting filename.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:fortify

maven

Затронутые версииВерсия исправления

< 20.2.35

20.2.35

EPSS

Процентиль: 54%

0.00306

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2022-25188

Дефекты

CWE-22

Связанные уязвимости

CVE-2022-25188

CVSS3: 4.3

nvd

больше 3 лет назад

Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps, allowing attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system with content not controllable by the attacker.

EPSS

Процентиль: 54%

0.00306

Низкий

4.3 Medium

CVSS3

CVE ID

CVE-2022-25188

Дефекты

CWE-22