Описание
Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.
A flaw was found in the Pipeline Utility Steps Jenkins Plugin. The affected version of the Pipeline Utility Steps Plugin does not restrict the set of enabled prefix interpolators and bundles versions of this library that enable the file: prefix interpolator by default. This flaw allows attackers who can configure Pipelines to read arbitrary files from the Jenkins controller file system.
Отчет
OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of scope of the ELS support; hence the OpenShift 3.11 Jenkins component is marked in this CVE as out of support scope.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | jenkins-2-plugins | Affected | ||
| Red Hat OpenShift Container Platform 3.11 | jenkins-2-plugins | Out of support scope | ||
| Red Hat OpenShift Container Platform 4.10 | jenkins-2-plugins | Fixed | RHSA-2023:0560 | 08.02.2023 |
| Red Hat OpenShift Container Platform 4.9 | jenkins-2-plugins | Fixed | RHSA-2023:0777 | 23.02.2023 |
Показывать по
Дополнительная информация
Статус:
EPSS
8.1 High
CVSS3
Связанные уязвимости
Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.
Arbitrary file read vulnerability in Jenkins Pipeline Utility Steps Plugin
EPSS
8.1 High
CVSS3