CVE-2022-36889

Name of the Vulnerable Software and Affected Versions Jenkins Deployer Framework Plugin versions 85.v1d1888e8c021 and earlier

Description The issue is related to the incorrect restriction of the application path when configuring a deployment, allowing attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller file system to the selected service. This can be exploited by a remote attacker to upload files.

Recommendations For Jenkins Deployer Framework Plugin versions 85.v1d1888e8c021 and earlier, consider restricting the application path of the applications when configuring a deployment to prevent attackers from uploading arbitrary files. As a temporary workaround, consider disabling the deployment configuration feature until a patch is available. Restrict access to the Item/Configure permission to minimize the risk of exploitation.