CVE-2022-23107

CWE-22 — Path Traversal5 documents5 sources

Severity

8.1HIGH

EPSS

0.8%

top 26.64%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Warnings Next Generation Jenkins Project Jenkins Warnings Next Generation Plugin

Timeline

PublishedJan 12

Latest updateJan 21

Description

Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring custom ID, allowing attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:NExploitability: 2.8 | Impact: 5.2

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_warnings_next_generation_pluginunspecified — 9.10.2

▶NVDjenkins/warnings_next_generation9.0.0 — 9.0.2+3

▶Mavenio.jenkins.plugins:warnings-ng9.8.0 — 9.10.3+3

🔴Vulnerability Details

OSV

Path Traversal in Jenkins Warnings Next Generation Plugin↗2022-01-21

▶

GHSA

Path Traversal in Jenkins Warnings Next Generation Plugin↗2022-01-21

▶

CVEList

CVE-2022-23107: Jenkins Warnings Next Generation Plugin 9↗2022-01-12

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-01-12↗2022-01-12

▶