CVE-2022-36889

CWE-22 — Path Traversal5 documents5 sources

Severity

8.8HIGH

EPSS

0.5%

top 35.07%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Deployer Framework Plugin Jenkins Deployer Framework

Timeline

PublishedJul 27

Latest updateJul 28

Description

Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the application path of the applications when configuring a deployment, allowing attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller file system to the selected service.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:deployer-framework< 86.v7b_a_4a_55b_f3ec

▶CVEListV5jenkins_project/jenkins_deployer_framework_pluginunspecified — 85.v1d1888e8c021

▶NVDjenkins/deployer_framework85.v1d1888e8c021

🔴Vulnerability Details

OSV

Jenkins Deployer Framework Plugin does not restrict application path of applications when configuring a deployment↗2022-07-28

▶

GHSA

Jenkins Deployer Framework Plugin does not restrict application path of applications when configuring a deployment↗2022-07-28

▶

CVEList

CVE-2022-36889: Jenkins Deployer Framework Plugin 85↗2022-07-27

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-07-27↗2022-07-27

▶