Arbitrary JSON and property file read vulnerability in Jenkins Extended Choice Parameter Plugin

2022-03-1600:00:44

Google

osv.dev

0.001 Low

EPSS

Percentile

39.7%

JSON

Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller.

CPENameOperatorVersion
org.jenkins-ci.plugins:extended-choice-parametereq0.36
org.jenkins-ci.plugins:extended-choice-parametereq0.64
org.jenkins-ci.plugins:extended-choice-parametereq0.69
org.jenkins-ci.plugins:extended-choice-parametereq0.54
org.jenkins-ci.plugins:extended-choice-parametereq0.19
org.jenkins-ci.plugins:extended-choice-parametereq0.43
org.jenkins-ci.plugins:extended-choice-parametereq0.35
org.jenkins-ci.plugins:extended-choice-parametereq0.53
org.jenkins-ci.plugins:extended-choice-parametereq0.75
org.jenkins-ci.plugins:extended-choice-parametereq0.24

Name	Operator	Version
org.jenkins-ci.plugins:extended-choice-parameter	eq	0.36
org.jenkins-ci.plugins:extended-choice-parameter	eq	0.64
org.jenkins-ci.plugins:extended-choice-parameter	eq	0.69
org.jenkins-ci.plugins:extended-choice-parameter	eq	0.54
org.jenkins-ci.plugins:extended-choice-parameter	eq	0.19
org.jenkins-ci.plugins:extended-choice-parameter	eq	0.43
org.jenkins-ci.plugins:extended-choice-parameter	eq	0.35
org.jenkins-ci.plugins:extended-choice-parameter	eq	0.53
org.jenkins-ci.plugins:extended-choice-parameter	eq	0.75
org.jenkins-ci.plugins:extended-choice-parameter	eq	0.24