Vulnerability Description
Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Pipeline Utility Steps | < 2.13.2 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2022/11/15/4Mailing List
- https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949Vendor Advisory
- http://www.openwall.com/lists/oss-security/2022/11/15/4Mailing List
- https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949Vendor Advisory
FAQ
What is CVE-2022-45381?
CVE-2022-45381 is a vulnerability with a CVSS score of 8.1 (HIGH). Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' ...
How severe is CVE-2022-45381?
CVE-2022-45381 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2022-45381?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Pipeline Utility Steps.