File Path Parsing Vulnerability in Jenkins Semantic Versioning Plugin by CloudBees
CVE-2022-27201

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Semantic Versioning Plugin
Vendor: CVE Published:; 15 March 2022

Summary

The Jenkins Semantic Versioning Plugin versions up to 1.13 allow unrestricted execution of controller/agent messages. This oversight permits potentially malicious agents to manipulate the file path that Jenkins parses, potentially leading to the extraction of sensitive data from the Jenkins controller or enabling server-side request forgery. Organizations using this plugin should upgrade to a newer version to mitigate risks associated with this vulnerability.

Affected Version(s)

Jenkins Semantic Versioning Plugin <= 1.13

References

https://www.jenkins.io/security/advisory/2022-03-15/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/03/15/2

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 15, 2022
Vulnerability Reserved
Mar 15, 2022