CVE-2022-45381
CVSS V2 None
CVSS V3 Critical 9.1
Description
Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.
Overview
- CVE ID
- CVE-2022-45381
- Assigner
- jenkinsci-cert@googlegroups.com
- Vulnerability Status
- Analyzed
- Published Version
- 2022-11-15T20:15:11
- Last Modified Date
- 2022-11-29T14:19:32
Weakness Enumerations
CPE Configuration (Product)
CPE | Vulnerable | Operator | Version Start | Version End |
---|---|---|---|---|
cpe:2.3:a:jenkins:pipeline_utility_steps:*:*:*:*:*:jenkins:*:* | 1 | OR | 2.13.2 |
CVSS Version 3
- Version
- 3.1
- Vector String
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- Attack Vector
- NETWORK
- Attack Compatibility
- LOW
- Privileges Required
- NONE
- User Interaction
- NONE
- Scope
- UNCHANGED
- Confidentiality Impact
- HIGH
- Availability Impact
- NONE
- Base Score
- 9.1
- Base Severity
- CRITICAL
- Exploitability Score
- 3.9
- Impact Score
- 5.2
References
Reference URL | Reference Tags |
---|---|
https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949 |
Sources
Source Name | Source URL |
---|---|
NIST | https://nvd.nist.gov/vuln/detail/CVE-2022-45381 |
MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-45381 |
History
Created | Old Value | New Value | Data Type | Notes |
---|---|---|---|---|
2022-11-15 21:00:16 | Added to TrackCVE | |||
2022-12-07 17:46:25 | 2022-11-15T20:15Z | 2022-11-15T20:15:11 | CVE Published Date | updated |
2022-12-07 17:46:25 | 2022-11-29T14:19:32 | CVE Modified Date | updated | |
2022-12-07 17:46:25 | Analyzed | Vulnerability Status | updated | |
2022-12-07 17:46:27 | CPE Information | updated |