2143089 – (CVE-2022-45381) CVE-2022-45381 jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin

Bug 2143089 (CVE-2022-45381) - CVE-2022-45381 jenkins-plugin/pipeline-utility-steps: Arbitrary file read vulnerability in Pipeline Utility Steps Plugin

Summary: CVE-2022-45381 jenkins-plugin/pipeline-utility-steps: Arbitrary file read vul...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-45381
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2143095
Blocks:	2143058
TreeView+	depends on / blocked

Reported:	2022-11-16 02:45 UTC by Avinash Hanwate
Modified:	2023-03-21 14:41 UTC (History)
CC List:	3 users (show)
Fixed In Version:	Pipeline Utility Steps Plugin 2.13.2
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Pipeline Utility Steps Jenkins Plugin. The affected version of the Pipeline Utility Steps Plugin does not restrict the set of enabled prefix interpolators and bundles versions of this library that enable the file: prefix interpolator by default. This flaw allows attackers who can configure Pipelines to read arbitrary files from the Jenkins controller file system.
Clone Of:
Environment:
Last Closed:	2023-02-11 15:09:27 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2023:1378	None	None	None	2023-03-21 14:41:42 UTC
Red Hat Product Errata	RHSA-2023:0560	None	None	None	2023-02-08 18:38:51 UTC
Red Hat Product Errata	RHSA-2023:0777	None	None	None	2023-02-22 23:59:20 UTC

Description Avinash Hanwate 2022-11-16 02:45:02 UTC

Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.

https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949

Comment 3 errata-xmlrpc 2023-02-08 18:38:49 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:0560 https://access.redhat.com/errata/RHSA-2023:0560

Comment 4 Product Security DevOps Team 2023-02-11 15:09:25 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-45381

Comment 5 errata-xmlrpc 2023-02-22 23:59:19 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:0777 https://access.redhat.com/errata/RHSA-2023:0777

Note You need to log in before you can comment on or make changes to this bug.