CVE-2022-23107
published 2022-01-12CVE-2022-23107: Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring custom ID, allowing attackers with…
high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring custom ID, allowing attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.
Affected
28 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | active_directory_plugin | — | — |
| jenkins | badge_plugin | — | — |
| jenkins | bitbucket_branch_source_plugin | — | — |
| jenkins | configuration_as_code_plugin | — | — |
| jenkins | conjur_secrets_plugin | — | — |
| jenkins | credentials_binding_plugin | — | — |
| jenkins | credentials_plugin | — | — |
| jenkins | debian_package_builder_plugin | — | — |
| jenkins | docker_commons_plugin | — | — |
| jenkins | groovy_plugin | — | — |
| jenkins | hashicorp_vault_plugin | — | — |
| jenkins | ids_in_bitbucket_branch_source_plugin | — | — |
| jenkins | improper_credentials_masking_in_hashicorp_vault_plugin | — | — |
| jenkins | jenkins_core | — | — |
| jenkins | jenkins_lts | — | — |
| jenkins | jenkins_ui_requesting_they_update_the_plugin | — | — |
| jenkins | jenkins_weekly | — | — |
| jenkins | mailer_plugin | — | — |
| jenkins | matrix_project_plugin | — | — |
| jenkins | metrics_plugin | — | — |
| jenkins | publish_over_ssh_plugin | — | — |
| jenkins | ssh_agent_plugin | — | — |
| jenkins | warnings_next_generation | — | — |
| jenkins | warnings_next_generation | >= 9.0.0 < 9.0.2 | 9.0.2 |
| jenkins | warnings_next_generation | 9.10.0 – 9.10.2 | — |