All the vulnerabilites related to Jenkins Project - Jenkins Pipeline Utility Steps Plugin
cve-2022-45381
Vulnerability from cvelistv5
Published
2022-11-15 00:00
Modified
2024-08-03 14:09
Severity ?
EPSS score ?
Summary
Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.
References
Impacted products
▼ | Vendor | Product |
---|---|---|
Jenkins project | Jenkins Pipeline Utility Steps Plugin |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-03T14:09:57.000Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_transferred" ], "url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949" }, { "name": "[oss-security] 20221115 Multiple vulnerabilities in Jenkins plugins", "tags": [ "mailing-list", "x_transferred" ], "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "Jenkins Pipeline Utility Steps Plugin", "vendor": "Jenkins project", "versions": [ { "lessThanOrEqual": "2.13.1", "status": "affected", "version": "unspecified", "versionType": "custom" } ] } ], "descriptions": [ { "lang": "en", "value": "Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the \u0027file:\u0027 prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system." } ], "providerMetadata": { "dateUpdated": "2023-10-24T14:26:10.547Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "url": "https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949" }, { "name": "[oss-security] 20221115 Multiple vulnerabilities in Jenkins plugins", "tags": [ "mailing-list" ], "url": "http://www.openwall.com/lists/oss-security/2022/11/15/4" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2022-45381", "datePublished": "2022-11-15T00:00:00", "dateReserved": "2022-11-14T00:00:00", "dateUpdated": "2024-08-03T14:09:57.000Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }
cve-2023-32981
Vulnerability from cvelistv5
Published
2023-05-16 16:00
Modified
2024-08-02 15:32
Severity ?
EPSS score ?
Summary
An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content.
References
▼ | URL | Tags |
---|---|---|
https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196 | vendor-advisory |
Impacted products
▼ | Vendor | Product |
---|---|---|
Jenkins Project | Jenkins Pipeline Utility Steps Plugin |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-02T15:32:46.622Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "name": "Jenkins Security Advisory 2023-05-16", "tags": [ "vendor-advisory", "x_transferred" ], "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "defaultStatus": "unaffected", "product": "Jenkins Pipeline Utility Steps Plugin", "vendor": "Jenkins Project", "versions": [ { "lessThanOrEqual": "2.15.2", "status": "affected", "version": "0", "versionType": "maven" } ] } ], "descriptions": [ { "lang": "en", "value": "An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content." } ], "providerMetadata": { "dateUpdated": "2023-10-24T12:50:01.412Z", "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins" }, "references": [ { "name": "Jenkins Security Advisory 2023-05-16", "tags": [ "vendor-advisory" ], "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196" } ] } }, "cveMetadata": { "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2023-32981", "datePublished": "2023-05-16T16:00:03.102Z", "dateReserved": "2023-05-16T10:55:43.518Z", "dateUpdated": "2024-08-02T15:32:46.622Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1" }