PT-2022-18290 · Jenkins · Jenkins Extended Choice Parameter Plugin+1
Oleg Nenashev
·
Published
2022-03-15
·
Updated
2023-11-30
·
CVE-2022-27203
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Extended Choice Parameter Plugin versions 346.vd87693c5a 86c and earlier
Description
The issue allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller.
Recommendations
For Jenkins Extended Choice Parameter Plugin versions 346.vd87693c5a 86c and earlier, consider restricting the Item/Configure permission to minimize the risk of exploitation until a patch is available.
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Extended Choice Parameter Plugin