CVE-2020-2278

CWE-22Path Traversal5 documents5 sources
Severity
6.5MEDIUM
EPSS
1.0%
top 22.90%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Storable Configs PluginJenkins Storable Configs
Timeline
PublishedSep 16
Latest updateMay 24

Description

Jenkins Storable Configs Plugin 1.0 and earlier does not restrict the user-specified file name, allowing attackers with Job/Configure permission to replace any other '.xml' file on the Jenkins controller with a job config.xml file's content.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

🔴Vulnerability Details

3
GHSA
Arbitrary file write vulnerability in Jenkins Storable Configs Plugin2022-05-24
OSV
Arbitrary file write vulnerability in Jenkins Storable Configs Plugin2022-05-24
CVEList
CVE-2020-2278: Jenkins Storable Configs Plugin 12020-09-16

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2020-09-162020-09-16
CVE-2020-2278 (MEDIUM CVSS 6.5) | Jenkins Storable Configs Plugin 1.0 | cvebase.io