PT-2022-25752 · Jenkins · Jenkins Dotci Plugin+1

Published

2022-09-21

Updated

2025-05-28

CVE-2022-41237

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins DotCi Plugin versions 2.40.00 and earlier

Description The issue arises from the Jenkins DotCi Plugin not configuring its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability. This vulnerability is exploitable by attackers who can modify .ci.yml files in SCM.

Recommendations For Jenkins DotCi Plugin versions 2.40.00 and earlier, consider disabling the plugin until a patch is available to prevent remote code execution. Restrict access to modify .ci.yml files in SCM to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

RCE

Deserialization of Untrusted Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502

Related Identifiers

CVE-2022-41237

GHSA-X3JJ-RGW9-7R5G

Affected Products

Jenkins

Jenkins Dotci Plugin

PT-2022-25752 · Jenkins · Jenkins Dotci Plugin+1

CVE-2022-41237

Weakness Enumeration

Related Identifiers

Affected Products

References · 9