CVE-2022-45381

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline Utility Steps Plugin versions 2.13.1 and earlier

Description The issue allows attackers who can configure Pipelines to read arbitrary files from the Jenkins controller file system. This is due to the lack of restriction on the set of enabled prefix interpolators and the inclusion of Apache Commons Configuration library versions that enable the file: prefix interpolator by default.

Recommendations For Jenkins Pipeline Utility Steps Plugin versions 2.13.1 and earlier, update to version 2.13.2 or later, which restricts the set of prefix interpolators enabled by default. As a temporary workaround, consider setting the Java system property org.jenkinsci.plugins.pipeline.utility.steps.conf.ReadPropertiesStepExecution.CUSTOM PREFIX INTERPOLATOR LOOKUPS to customize which prefix interpolators are enabled, excluding the file: prefix interpolator.