Design/Logic Flaw

2022-11-1520:15:00

PRIOn knowledge base

www.prio-n.com

jenkins config rotator

http endpoint

file reading

0.002 Low

EPSS

Percentile

52.6%

JSON

Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with ‘.xml’ extension on the Jenkins controller file system.

CPENameOperatorVersion
config_rotatorle2.0.1

CPE	Name	Operator	Version
	config_rotator	le	2.0.1

References

www.openwall.com/lists/oss-security/2022/11/15/4

www.jenkins.io/security/advisory/2022-11-15/

0.002 Low

EPSS

Percentile

52.6%

JSON

Related for PRION:CVE-2022-45388