Unauthorized Access to JSON and Java Properties Files in Jenkins Extended Choice Parameter Plugin
CVE-2022-27203

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Extended Choice Parameter Plugin
Vendor: CVE Published:; 15 March 2022

Summary

The Jenkins Extended Choice Parameter Plugin allows users with Item/Configure permission to gain unauthorized access to the values stored in arbitrary JSON and Java properties files on the Jenkins controller. This vulnerability can expose sensitive configuration data and potentially lead to further exploitation or compromise of the Jenkins environment. Users are advised to update to the latest version of the plugin to mitigate risks associated with this issue.

Affected Version(s)

Jenkins Extended Choice Parameter Plugin <= 346.vd87693c5a_86c

References

https://www.jenkins.io/security/advisory/2022-03-15/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/03/15/2

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 15, 2022
Vulnerability Reserved
Mar 15, 2022