GHSA-hgp9-2c4w-x9mh

Suggest an improvement
Source
https://github.com/advisories/GHSA-hgp9-2c4w-x9mh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-hgp9-2c4w-x9mh/GHSA-hgp9-2c4w-x9mh.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hgp9-2c4w-x9mh
Aliases
  • CVE-2022-36890
Published
2022-07-28T00:00:42Z
Modified
2024-02-16T08:01:26.935755Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Jenkins Deployer Framework Plugin vulnerable to Path Traversal
Details

Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the name of files in methods implementing form validation.

This allows attackers with Item/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

Deployer Framework Plugin 86.v7ba4a55bf3ec ensures that only files contained inside the expected directory can be accessed.

Database specific 
{
    "nvd_published_at": "2022-07-27T15:15:00Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-08-11T15:16:24Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:deployer-framework

Package

Name
org.jenkins-ci.plugins:deployer-framework
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/deployer-framework

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
86.v7b_a_4a_55b_f3ec

Affected versions

1.*

1.0
1.1
1.2
1.3
1.3.1

64.*

64.v3400230d12da_

69.*

69.v0fcb_86e90e08

75.*

75.vcc73e3a_89e64

85.*

85.v1d1888e8c021

Database specific 

{
    "last_known_affected_version_range": "<= 85.v1d1888e8c021"
}