CVE-2023-32981

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline Utility Steps Plugin versions 2.15.2 and earlier

Description The issue allows attackers to create or replace arbitrary files on the agent file system with attacker-specified content by providing crafted archives as parameters. This is due to the lack of validation or limitation of file paths of files contained within archives. The untar and unzip Pipeline steps are used to extract archives into job workspaces.

Recommendations For Jenkins Pipeline Utility Steps Plugin versions 2.15.2 and earlier, update to version 2.15.3 or later, which rejects extraction of files in tar and zip archives that would be placed outside the expected destination directory.