Lucene search

GitHub Advisory DatabaseGHSA-CH63-6CMG-GWG2

HistoryMar 16, 2022 - 12:00 a.m.

Arbitrary JSON and property file read vulnerability in Jenkins Extended Choice Parameter Plugin

2022-03-1600:00:44

CWE-22

GitHub Advisory Database

github.com

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

39.9%

JSON

Jenkins Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier allows attackers with Item/Configure permission to read values from arbitrary JSON and Java properties files on the Jenkins controller.

Affected configurations

Vulners

Node

jenkinsextended_choice_parameterRange≤346.vd87693c5ajenkins

CPENameOperatorVersion
org.jenkins-ci.plugins:extended-choice-parameterle346.vd87693c5a

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:extended-choice-parameter	le	346.vd87693c5a

References

www.openwall.com/lists/oss-security/2022/03/15/2

github.com/advisories/GHSA-ch63-6cmg-gwg2

nvd.nist.gov/vuln/detail/CVE-2022-27203

www.jenkins.io/security/advisory/2022-03-15/#SECURITY-1351

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

39.9%

JSON

Related for GHSA-CH63-6CMG-GWG2