CVE-2022-34177 — Path Traversal in Project Jenkins Pipeline Input Step Plugin

CWE-22 — Path Traversal6 documents6 sources

Severity

7.5HIGHNVD

EPSS

0.1%

top 70.26%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Pipeline Input Step Plugin Jenkins Pipeline

Timeline

PublishedJun 23

Latest updateJun 24

Description

Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_pipeline_input_step_pluginunspecified — 448.v37cea_9a_10a_70

▶NVDjenkins/pipeline448.v37cea_9a_10a_70

🔴Vulnerability Details

OSV

Arbitrary file write vulnerability in Jenkins Pipeline: Input Step Plugin↗2022-06-24

▶

GHSA

Arbitrary file write vulnerability in Jenkins Pipeline: Input Step Plugin↗2022-06-24

▶

CVEList

CVE-2022-34177: Jenkins Pipeline: Input Step Plugin 448↗2022-06-22

▶

📋Vendor Advisories

Red Hat

jenkins-plugin: Arbitrary file write vulnerability in Pipeline Input Step Plugin↗2022-06-23

▶

Jenkins

Jenkins Security Advisory 2022-06-22↗2022-06-22

▶