CVE-2022-25188
published 2022-02-15CVE-2022-25188: Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps, allowing attackers with…
medium4.3CVSS 3.1
AVNACLPRLUINSUCNILAN
Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps, allowing attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system with content not controllable by the attacker.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jenkins | agent_server_parameter_plugin | — | — |
| jenkins | build_step_plugin | — | — |
| jenkins | checkmarx_plugin | — | — |
| jenkins | chef_sinatra_plugin | — | — |
| jenkins | conjur_secrets_plugin | — | — |
| jenkins | convertigo_mobile_platform_plugin | — | — |
| jenkins | custom_checkbox_parameter_plugin | — | — |
| jenkins | deprecated_groovy_libraries_plugin | — | — |
| jenkins | doktor_plugin | — | — |
| jenkins | fortify | <= 20.2.34 | — |
| jenkins | fortify_plugin | — | — |
| jenkins | generic_webhook_trigger_plugin | — | — |
| jenkins | gitlab_authentication_plugin | — | — |
| jenkins | groovy_plugin | — | — |
| jenkins | hashicorp_vault_plugin | — | — |
| jenkins | multibranch_plugin | — | — |
| jenkins | scp_publisher_plugin | — | — |
| jenkins | snow_commander_plugin | — | — |
| jenkins | support_core_plugin | — | — |
| jenkins | swamp_plugin | — | — |
| jenkins | team_views_plugin | — | — |
| jenkins_project | jenkins_fortify_plugin | unspecified – 20.2.34 | — |