Lucene search

GitHub Advisory DatabaseGHSA-QR42-82QJ-MW65

HistoryMay 24, 2022 - 4:50 p.m.

Improper Limitation of a Pathname to a Restricted Directory in Jenkins

2022-05-2416:50:30

CWE-22

GitHub Advisory Database

github.com

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.528 Medium

EPSS

Percentile

97.6%

JSON

A path traversal vulnerability in Jenkins 2.185 and earlier, LTS 2.176.1 and earlier in core/src/main/java/hudson/model/FileParameterValue.java allowed attackers with Job/Configure permission to define a file parameter with a file name outside the intended directory, resulting in an arbitrary file write on the Jenkins master when scheduling a build.

Affected configurations

Vulners

Node

org.jenkins-ci.main\Matchjenkins-core

CPENameOperatorVersion
org.jenkins-ci.main:jenkins-corele2.185
org.jenkins-ci.main:jenkins-corele2.176.1

CPE	Name	Operator	Version
	org.jenkins-ci.main:jenkins-core	le	2.185
	org.jenkins-ci.main:jenkins-core	le	2.176.1

References

www.openwall.com/lists/oss-security/2019/07/17/2

access.redhat.com/errata/RHSA-2019:2503

access.redhat.com/errata/RHSA-2019:2548

github.com/advisories/GHSA-qr42-82qj-mw65

github.com/jenkinsci/jenkins/commit/18fc7c0b466553cbd4f790db3270964305bee7f9

jenkins.io/security/advisory/2019-07-17/#SECURITY-1424

nvd.nist.gov/vuln/detail/CVE-2019-10352

web.archive.org/web/20200227033157/www.securityfocus.com/bid/109299

www.tenable.com/security/research/tra-2019-35

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:S/C:N/I:P/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

0.528 Medium

EPSS

Percentile

97.6%

JSON

Related for GHSA-QR42-82QJ-MW65