CVE-2022-34177

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Input Step Plugin versions 448.v37cea 9a 10a 70 and earlier

Description The issue allows attackers who can configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. This is because the plugin archives files uploaded for file parameters for Pipeline input steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory.

Recommendations For Jenkins Pipeline: Input Step Plugin versions 448.v37cea 9a 10a 70 and earlier, update to version 449.v77f0e8b 845c4 or later, which prohibits the use of file parameters for Pipeline input steps. As a temporary workaround, consider restricting the ability to configure Pipelines to trusted users until the update is applied.