GHSA-rvh4-g2rj-hr9c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-rvh4-g2rj-hr9c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/01/GHSA-rvh4-g2rj-hr9c/GHSA-rvh4-g2rj-hr9c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-rvh4-g2rj-hr9c
- Aliases
- Published
- 2022-01-21T23:38:05Z
- Modified
- 2024-02-16T08:16:52.944151Z
- Severity
-
- 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Path Traversal in Jenkins Warnings Next Generation Plugin
- Details
-
Jenkins Warnings Next Generation Plugin prior to 9.10.3, 9.7.1, 9.5.2, and 9.0.2 does not restrict the name of a file when configuring a custom ID.
This allows attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.
Jenkins Warnings Next Generation Plugin 9.10.3, 9.7.1, 9.5.2, and 9.0.2 checks for the presence of prohibited directory separator characters in the custom ID.
- Database specific
{ "nvd_published_at": "2022-01-12T20:15:00Z", "cwe_ids": [ "CWE-22" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2022-01-20T14:51:23Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2022-23107
- https://github.com/CVEProject/cvelist/blob/36f932156733baab1b13868be4338de406a1dec7/2022/23xxx/CVE-2022-23107.json
- https://github.com/jenkinsci/warnings-ng-plugin
- https://github.com/jenkinsci/warnings-ng-plugin/releases/tag/v9.10.3
- https://www.jenkins.io/security/advisory/2022-01-12/#SECURITY-2090
- http://www.openwall.com/lists/oss-security/2022/01/12/6
Affected packages
Maven / io.jenkins.plugins:warnings-ng
Package
- Name
- io.jenkins.plugins:warnings-ng
- View open source insights on deps.dev
- Purl
- pkg:maven/io.jenkins.plugins/warnings-ng
Maven / io.jenkins.plugins:warnings-ng
Package
- Name
- io.jenkins.plugins:warnings-ng
- View open source insights on deps.dev
- Purl
- pkg:maven/io.jenkins.plugins/warnings-ng
Maven / io.jenkins.plugins:warnings-ng
Package
- Name
- io.jenkins.plugins:warnings-ng
- View open source insights on deps.dev
- Purl
- pkg:maven/io.jenkins.plugins/warnings-ng
Maven / io.jenkins.plugins:warnings-ng
Package
- Name
- io.jenkins.plugins:warnings-ng
- View open source insights on deps.dev
- Purl
- pkg:maven/io.jenkins.plugins/warnings-ng
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed9.0.2
Affected versions
1.*
1.0.0-beta1
1.0.0-beta2
1.0.0-beta3
1.0.0-beta4
1.0.0-beta5
1.0.0-beta6
1.0.0-beta7
1.0.0-beta8
1.0.0-beta9
1.0.0-beta10
1.0.0
1.0.1
2.*
2.0.0
2.1.0
2.1.1
2.1.2
2.2.0
2.2.1
3.*
3.0.0
3.0.1
3.0.3
4.*
4.0.0
5.*
5.0.0
5.1.0
5.2.0
5.2.1
5.3.0
6.*
6.0.0
6.0.1
6.0.2
6.0.3
6.0.4
6.1.0
6.1.1
7.*
7.0.0
7.1.0
7.1.1
7.1.2
7.2.0
7.2.1
7.2.2
7.3.0
8.*
8.0.0-beta1
8.0.0-beta2
8.0.0-beta3
8.0.0-beta5
8.0.0-beta6
8.0.0-beta7
8.0.0-beta8
8.0.0
8.1.0
8.2.0
8.3.0
8.4.0
8.4.1
8.4.1.1
8.4.2
8.4.3
8.4.3.1
8.4.4
8.5.0
8.6.0
8.6.1
8.6.2
8.6.3
8.7.0
8.8.0
8.8.0.1
8.9.0
8.9.1
8.9.2
8.10.0
8.10.1
9.*
9.0.0
9.0.1