GHSA-23h5-8ph6-7rfc
Suggest an improvement- Source
- https://github.com/advisories/GHSA-23h5-8ph6-7rfc
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-23h5-8ph6-7rfc/GHSA-23h5-8ph6-7rfc.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-23h5-8ph6-7rfc
- Aliases
-
- CVE-2022-25188
- Published
- 2022-02-16T00:01:27Z
- Modified
- 2024-02-16T08:02:25.307099Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N CVSS Calculator
- Summary
- Path traversal vulnerability in Jenkins Fortify Plugin
- Details
-
Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the
appNameandappVersionparameters of its Pipeline steps, which are used to write to files inside build directories.This allows attackers with Item/Configure permission to write or overwrite
.xmlfiles on the Jenkins controller file system with content not controllable by the attacker.Jenkins Fortify Plugin 20.2.35 sanitizes the
appNameandappVersionparameters of its Pipeline steps when determining the resulting filename. - Database specific
{ "nvd_published_at": "2022-02-15T17:15:00Z", "cwe_ids": [ "CWE-22" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-12-01T23:05:05Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-25188
- https://github.com/jenkinsci/fortify-plugin/commit/ba3030cb63bb86b6bb13342664e0e319f2fee374
- https://github.com/jenkinsci/fortify-plugin
- https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2214
- http://www.openwall.com/lists/oss-security/2022/02/15/2
Affected packages
Maven / org.jenkins-ci.plugins:fortify
Package
- Name
- org.jenkins-ci.plugins:fortify
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/fortify