File Manipulation Vulnerability in Jenkins Build-Publisher Plugin by Jenkins
CVE-2022-41231

5.7MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Build-publisher Plugin
Vendor: CVE Published:; 21 September 2022

Summary

The Jenkins Build-Publisher Plugin prior to version 1.23 allows users with Item/Configure permission to exploit an API endpoint by supplying a specially crafted file name. This exploit enables them to create or overwrite any config.xml file on the Jenkins controller file system, potentially leading to unauthorized changes and system compromise. It is critical for administrators to upgrade to the latest version to mitigate this vulnerability.

Affected Version(s)

Jenkins Build-Publisher Plugin <= 1.22

References

https://www.jenkins.io/security/advisory/2022-09-21/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.7

Severity:

MEDIUM

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Sep 21, 2022
Vulnerability Reserved
Sep 21, 2022