PT-2022-22049 · Jenkins · Jenkins Junit Plugin+1

Daniel Beck

Published

2022-06-22

Updated

2023-11-03

CVE-2022-34181

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Jenkins xUnit Plugin versions 3.0.8 and earlier

Description The issue allows attackers who can control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test results from existing files in an attacker-specified directory. This is due to the implementation of an agent-to-controller message that creates a user-specified directory if it doesn't exist and parses files inside it as test results.

Recommendations For Jenkins xUnit Plugin versions 3.0.8 and earlier, update to version 3.1.0 or later, which changes the message type from agent-to-controller to controller-to-agent, preventing execution on the controller.

Fix

Protection Mechanism Failure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-693

Related Identifiers

CVE-2022-34181

GHSA-298J-9Q4W-6RM4

Affected Products

Jenkins

Jenkins Junit Plugin

PT-2022-22049 · Jenkins · Jenkins Junit Plugin+1

CVE-2022-34181

Weakness Enumeration

Related Identifiers

Affected Products

References · 6