CVE-2022-36890 — Path Traversal in Project Jenkins Deployer Framework Plugin

CWE-22 — Path Traversal5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.7%

top 28.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Deployer Framework Plugin Jenkins Deployer Framework

Timeline

PublishedJul 27

Latest updateJul 28

Description

Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the name of files in methods implementing form validation, allowing attackers with Item/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_deployer_framework_pluginunspecified — 85.v1d1888e8c021

▶NVDjenkins/deployer_framework85.v1d1888e8c021

🔴Vulnerability Details

GHSA

Jenkins Deployer Framework Plugin vulnerable to Path Traversal↗2022-07-28

▶

OSV

Jenkins Deployer Framework Plugin vulnerable to Path Traversal↗2022-07-28

▶

CVEList

CVE-2022-36890: Jenkins Deployer Framework Plugin 85↗2022-07-27

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-07-27↗2022-07-27

▶