Lucene search

GitHub Advisory DatabaseGHSA-J5QQ-6RPM-QJGH

HistoryJul 28, 2022 - 12:00 a.m.

Jenkins Deployer Framework Plugin does not restrict application path of applications when configuring a deployment

2022-07-2800:00:42

CWE-22

GitHub Advisory Database

github.com

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

47.8%

JSON

Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the application path of the applications when configuring a deployment, allowing attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller file system to the selected service.

Affected configurations

Vulners

Node

koala-frameworkkoala_frameworkRange≤85.v1d1888e8c021

CPENameOperatorVersion
org.jenkins-ci.plugins:deployer-frameworkle85.v1d1888e8c021

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:deployer-framework	le	85.v1d1888e8c021

References

www.openwall.com/lists/oss-security/2022/07/27/1

github.com/advisories/GHSA-j5qq-6rpm-qjgh

nvd.nist.gov/vuln/detail/CVE-2022-36889

www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2764

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.001 Low

EPSS

Percentile

47.8%

JSON

Related for GHSA-J5QQ-6RPM-QJGH