Insufficient Name Validation in Jenkins Promoted Builds Plugin by CloudBees
CVE-2022-29049
5.4MEDIUM
Summary
The Jenkins Promoted Builds Plugin, specifically versions 873.v6149db_d64130 and earlier (excluding version 3.10.1), lacks proper validation for promotion names defined in Job DSL. This vulnerability enables attackers with Job/Configure permissions to craft promotions with arbitrary and potentially dangerous names, creating opportunities for malicious actions within the Jenkins environment.
Affected Version(s)
Jenkins promoted builds Plugin <= 873.v6149db_d64130
Jenkins promoted builds Plugin 3.10.1
References
CVSS V3.1
Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed
Timeline
Vulnerability published
Vulnerability Reserved