Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for file
parameters for Pipeline input
steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.
[
{
"product": "Jenkins Pipeline: Input Step Plugin",
"vendor": "Jenkins project",
"versions": [
{
"status": "unaffected",
"version": "447.449.v193fd29f6021"
},
{
"status": "unaffected",
"version": "2.12.2"
},
{
"lessThanOrEqual": "448.v37cea_9a_10a_70",
"status": "affected",
"version": "unspecified",
"versionType": "custom"
}
]
}
]