CVE-2022-25188

CWE-22Path Traversal5 documents5 sources
Severity
4.3MEDIUM
EPSS
0.3%
top 49.33%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Fortify PluginJenkins Fortify
Timeline
PublishedFeb 15
Latest updateFeb 16

Description

Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps, allowing attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system with content not controllable by the attacker.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

CVEListV5jenkins_project/jenkins_fortify_pluginunspecified20.2.34
NVDjenkins/fortify20.2.34

Patches

Patch: www.jenkins.ioPatch: www.jenkins.io

🔴Vulnerability Details

3
GHSA
Path traversal vulnerability in Jenkins Fortify Plugin2022-02-16
OSV
Path traversal vulnerability in Jenkins Fortify Plugin2022-02-16
CVEList
CVE-2022-25188: Jenkins Fortify Plugin 202022-02-15

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2022-02-152022-02-15
CVE-2022-25188 (MEDIUM CVSS 4.3) | Jenkins Fortify Plugin 20.2.34 and | cvebase.io