CVE-2022-34177

HIGH

Jenkins Pipeline: Input Step Plugin <448.v37cea_9a_10a_70 - Privile...

Title source: llm

Description

Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.

References (1)

Core 1

Core References

Vendor Advisory

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2705

Scores

CVSS v3 7.5

EPSS 0.0011

EPSS Percentile 29.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Details

CWE

CWE-22

Status published

Products (2)

jenkins/pipeline\ < 448.v37cea_9a_10a_70

org.jenkins-ci.plugins/pipeline-input-step 0 - 449.v77f0e8bMaven

Published Jun 23, 2022

Tracked Since Feb 18, 2026