Bug 2143089 (CVE-2022-45381)

Summary: CVE-2022-45381 jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: abenaiss, jburrell, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Pipeline Utility Steps Plugin 2.13.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Pipeline Utility Steps Jenkins Plugin. The affected version of the Pipeline Utility Steps Plugin does not restrict the set of enabled prefix interpolators and bundles versions of this library that enable the file: prefix interpolator by default. This flaw allows attackers who can configure Pipelines to read arbitrary files from the Jenkins controller file system.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-02-11 15:09:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2143095    
Bug Blocks: 2143058    

Description Avinash Hanwate 2022-11-16 02:45:02 UTC 
Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.

https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949
Comment 3 errata-xmlrpc 2023-02-08 18:38:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:0560 https://access.redhat.com/errata/RHSA-2023:0560
Comment 4 Product Security DevOps Team 2023-02-11 15:09:25 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-45381
Comment 5 errata-xmlrpc 2023-02-22 23:59:19 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:0777 https://access.redhat.com/errata/RHSA-2023:0777