CVE-2022-34177

Опубликовано: 23 июн. 2022

Источник: nvd

CVSS3: 7.5

CVSS2: 5

EPSS Низкий

Описание

Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for file parameters for Pipeline input steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

Ссылки

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2705
Vendor Advisory
https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2705
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jenkins:pipeline\:_input_step:*:*:*:*:*:jenkins:*:*

Версия до 448.v37cea_9a_10a_70 (включая)

EPSS

Процентиль: 25%

0.00081

Низкий

7.5 High

CVSS3

5 Medium

CVSS2

Дефекты

CWE-22

Связанные уязвимости

CVE-2022-34177

CVSS3: 7.5

redhat

около 3 лет назад

Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

GHSA-29q6-p2cg-4v23

CVSS3: 8.8

github