Improper Encoding or Escaping of Output in Jenkins Configuration as Code Plugin

2022-05-2416:51:51

Google

osv.dev

0.001 Low

EPSS

Percentile

22.2%

JSON

Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.

CPENameOperatorVersion
io.jenkins:configuration-as-codeeq1.17
io.jenkins:configuration-as-codeeq1.21
io.jenkins:configuration-as-codeeq1.0-rc3
io.jenkins:configuration-as-codeeq1.9
io.jenkins:configuration-as-codeeq1.2
io.jenkins:configuration-as-codeeq1.0-rc2
io.jenkins:configuration-as-codeeq0.10-alpha
io.jenkins:configuration-as-codeeq1.8
io.jenkins:configuration-as-codeeq1.12
io.jenkins:configuration-as-codeeq1.19

Name	Operator	Version
io.jenkins:configuration-as-code	eq	1.17
io.jenkins:configuration-as-code	eq	1.21
io.jenkins:configuration-as-code	eq	1.0-rc3
io.jenkins:configuration-as-code	eq	1.9
io.jenkins:configuration-as-code	eq	1.2
io.jenkins:configuration-as-code	eq	1.0-rc2
io.jenkins:configuration-as-code	eq	0.10-alpha
io.jenkins:configuration-as-code	eq	1.8
io.jenkins:configuration-as-code	eq	1.12
io.jenkins:configuration-as-code	eq	1.19