CVE-2022-36890

2022-07-2715:15:09

CWE-22

[email protected]

web.nvd.nist.gov

cve-2022-36890

jenkins

deployer framework plugin

security

vulnerability

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

38.5%

JSON

Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the name of files in methods implementing form validation, allowing attackers with Item/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Affected configurations

NVD

Node

jenkinsdeployer_frameworkRange≤85.v1d1888e8c021jenkins

CPENameOperatorVersion
jenkins:deployer_frameworkjenkins deployer frameworkle85.v1d1888e8c021

CPE	Name	Operator	Version
jenkins:deployer_framework	jenkins deployer framework	le	85.v1d1888e8c021

CNA Affected

[
  {
    "product": "Jenkins Deployer Framework Plugin",
    "vendor": "Jenkins project",
    "versions": [
      {
        "lessThanOrEqual": "85.v1d1888e8c021",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "status": "unaffected",
        "version": "1.3.1"
      }
    ]
  }
]