CVE-2022-34177: Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller…

high7.5CVSS 3.1

AVNACLPRNUINSUCNIHAN

Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

Affected

32 ranges· showing 25

Vendor	Product	Version range	Fixed in
jenkins	agent_server_parameter_plugin	—	—
jenkins	beaker_builder_plugin	—	—
jenkins	convertigo_mobile_platform_plugin	—	—
jenkins	crx_content_package_deployer_plugin	—	—
jenkins	date_parameter_plugin	—	—
jenkins	dynamic_extended_choice_parameter_plugin	—	—
jenkins	easyqa_plugin	—	—
jenkins	embeddable_build_status_plugin	—	—
jenkins	filesystem_list_parameter_plugin	—	—
jenkins	hidden_parameter_plugin	—	—
jenkins	image_tag_parameter_plugin	—	—
jenkins	improper_authorization_in_embeddable_build_status_plugin	—	—
jenkins	input_step_plugin	—	—
jenkins	jenkins_ci_server_plugin	—	—
jenkins	jenkins_core	—	—
jenkins	jenkins_lts	—	—
jenkins	jenkins_weekly	—	—
jenkins	jianliao_notification_plugin	—	—
jenkins	junit_plugin	—	—
jenkins	maven_metadata_plugin	—	—
jenkins	nested_view_plugin	—	—
jenkins	ns-nd_integration_performance_publisher_plugin	—	—
jenkins	orchestrator_plugin	—	—
jenkins	package_version_plugin	—	—
jenkins	pipeline	<= 448.v37cea_9a_10a_70	—