Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content. https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2705 https://nvd.nist.gov/vuln/detail/CVE-2022-34177
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:6531 https://access.redhat.com/errata/RHSA-2022:6531
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-34177
verified ========= Fix found in https://openshift-release.apps.ci.l2s4.p1.openshiftapps.com/releasestream/4.8.0-0.nightly/release/4.8.0-0.nightly-2023-01-05-074107 jitsingh@jitsingh-mac ~ oc rsh jenkins-1-5r9ss sh-4.4$ curl -s https://gitlab.com/jitendar-singh/jenkins-cve-verfication/-/raw/main/scripts/plugins-verification-old.sh | sh Verifying Plugins: Verifying: ace-editor:1.1 - checking if /var/lib/jenkins/plugins/ace-editor.jpi exists ... yes - checking if version matches 1.1 ... yes Verifying: ant:1.11 - checking if /var/lib/jenkins/plugins/ant.jpi exists ... yes - checking if version matches 1.11 ... yes Verifying: apache-httpcomponents-client-4-api:4.5.13-1.0 - checking if /var/lib/jenkins/plugins/apache-httpcomponents-client-4-api.jpi exists ... yes - checking if version matches 4.5.13-1.0 ... yes Verifying: authentication-tokens:1.4 - checking if /var/lib/jenkins/plugins/authentication-tokens.jpi exists ... yes - checking if version matches 1.4 ... yes Verifying: blueocean:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: blueocean-autofavorite:1.2.4 - checking if /var/lib/jenkins/plugins/blueocean-autofavorite.jpi exists ... yes - checking if version matches 1.2.4 ... yes Verifying: blueocean-bitbucket-pipeline:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean-bitbucket-pipeline.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: blueocean-commons:1.25.6 - checking if /var/lib/jenkins/plugins/blueocean-commons.jpi exists ... yes - checking if version matches 1.25.6 ... yes Verifying: blueocean-config:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean-config.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: blueocean-core-js:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean-core-js.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: blueocean-dashboard:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean-dashboard.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: blueocean-display-url:2.4.1 - checking if /var/lib/jenkins/plugins/blueocean-display-url.jpi exists ... yes - checking if version matches 2.4.1 ... yes Verifying: blueocean-events:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean-events.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: blueocean-github-pipeline:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean-github-pipeline.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: blueocean-git-pipeline:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean-git-pipeline.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: blueocean-i18n:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean-i18n.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: blueocean-jwt:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean-jwt.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: blueocean-personalization:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean-personalization.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: blueocean-pipeline-api-impl:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean-pipeline-api-impl.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: blueocean-pipeline-editor:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean-pipeline-editor.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: blueocean-pipeline-scm-api:1.25.6 - checking if /var/lib/jenkins/plugins/blueocean-pipeline-scm-api.jpi exists ... yes - checking if version matches 1.25.6 ... yes Verifying: blueocean-rest:1.25.6 - checking if /var/lib/jenkins/plugins/blueocean-rest.jpi exists ... yes - checking if version matches 1.25.6 ... yes Verifying: blueocean-rest-impl:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean-rest-impl.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: blueocean-web:1.24.8 - checking if /var/lib/jenkins/plugins/blueocean-web.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: bootstrap5-api:5.1.3-6 - checking if /var/lib/jenkins/plugins/bootstrap5-api.jpi exists ... yes - checking if version matches 5.1.3-6 ... yes Verifying: bouncycastle-api:2.25 - checking if /var/lib/jenkins/plugins/bouncycastle-api.jpi exists ... yes - checking if version matches 2.25 ... yes Verifying: branch-api:2.7.0 - checking if /var/lib/jenkins/plugins/branch-api.jpi exists ... yes - checking if version matches 2.7.0 ... yes Verifying: caffeine-api:2.9.2-29.v717aac953ff3 - checking if /var/lib/jenkins/plugins/caffeine-api.jpi exists ... yes - checking if version matches 2.9.2-29.v717aac953ff3 ... yes Verifying: checks-api:1.7.4 - checking if /var/lib/jenkins/plugins/checks-api.jpi exists ... yes - checking if version matches 1.7.4 ... yes Verifying: cloudbees-bitbucket-branch-source:2.4.4 - checking if /var/lib/jenkins/plugins/cloudbees-bitbucket-branch-source.jpi exists ... yes - checking if version matches 2.4.4 ... yes Verifying: cloudbees-folder:6.16 - checking if /var/lib/jenkins/plugins/cloudbees-folder.jpi exists ... yes - checking if version matches 6.16 ... yes Verifying: conditional-buildstep:1.4.1 - checking if /var/lib/jenkins/plugins/conditional-buildstep.jpi exists ... yes - checking if version matches 1.4.1 ... yes Verifying: config-file-provider:3.8.1 - checking if /var/lib/jenkins/plugins/config-file-provider.jpi exists ... yes - checking if version matches 3.8.1 ... yes Verifying: configuration-as-code:1414.v878271fc496f - checking if /var/lib/jenkins/plugins/configuration-as-code.jpi exists ... yes - checking if version matches 1414.v878271fc496f ... yes Verifying: configuration-as-code-groovy:1.1 - checking if /var/lib/jenkins/plugins/configuration-as-code-groovy.jpi exists ... yes - checking if version matches 1.1 ... yes Verifying: credentials:1129.vef26f5df883c - checking if /var/lib/jenkins/plugins/credentials.jpi exists ... yes - checking if version matches 1129.vef26f5df883c ... yes Verifying: credentials-binding:1.27.1 - checking if /var/lib/jenkins/plugins/credentials-binding.jpi exists ... yes - checking if version matches 1.27.1 ... yes Verifying: display-url-api:2.3.6 - checking if /var/lib/jenkins/plugins/display-url-api.jpi exists ... yes - checking if version matches 2.3.6 ... yes Verifying: docker-commons:1.18 - checking if /var/lib/jenkins/plugins/docker-commons.jpi exists ... yes - checking if version matches 1.18 ... yes Verifying: durable-task:493.v195aefbb0ff2 - checking if /var/lib/jenkins/plugins/durable-task.jpi exists ... yes - checking if version matches 493.v195aefbb0ff2 ... yes Verifying: echarts-api:5.3.2-1 - checking if /var/lib/jenkins/plugins/echarts-api.jpi exists ... yes - checking if version matches 5.3.2-1 ... yes Verifying: favorite:2.4.1 - checking if /var/lib/jenkins/plugins/favorite.jpi exists ... yes - checking if version matches 2.4.1 ... yes Verifying: font-awesome-api:6.0.0-1 - checking if /var/lib/jenkins/plugins/font-awesome-api.jpi exists ... yes - checking if version matches 6.0.0-1 ... yes Verifying: git:4.11.4 - checking if /var/lib/jenkins/plugins/git.jpi exists ... yes - checking if version matches 4.11.4 ... yes Verifying: git-client:3.11.1 - checking if /var/lib/jenkins/plugins/git-client.jpi exists ... yes - checking if version matches 3.11.1 ... yes Verifying: github:1.34.5 - checking if /var/lib/jenkins/plugins/github.jpi exists ... yes - checking if version matches 1.34.5 ... yes Verifying: github-api:1.114.2 - checking if /var/lib/jenkins/plugins/github-api.jpi exists ... yes - checking if version matches 1.114.2 ... yes Verifying: github-branch-source:2.6.0 - checking if /var/lib/jenkins/plugins/github-branch-source.jpi exists ... yes - checking if version matches 2.6.0 ... yes Verifying: git-server:1.10 - checking if /var/lib/jenkins/plugins/git-server.jpi exists ... yes - checking if version matches 1.10 ... yes Verifying: google-oauth-plugin:1.0.6 - checking if /var/lib/jenkins/plugins/google-oauth-plugin.jpi exists ... yes - checking if version matches 1.0.6 ... yes Verifying: groovy:2.4 - checking if /var/lib/jenkins/plugins/groovy.jpi exists ... yes - checking if version matches 2.4 ... yes Verifying: handy-uri-templates-2-api:2.1.6-1.0 - checking if /var/lib/jenkins/plugins/handy-uri-templates-2-api.jpi exists ... yes - checking if version matches 2.1.6-1.0 ... yes Verifying: htmlpublisher:1.25 - checking if /var/lib/jenkins/plugins/htmlpublisher.jpi exists ... yes - checking if version matches 1.25 ... yes Verifying: jackson2-api:2.13.2.20220328-273.v11d70a_b_a_1a_52 - checking if /var/lib/jenkins/plugins/jackson2-api.jpi exists ... yes - checking if version matches 2.13.2.20220328-273.v11d70a_b_a_1a_52 ... yes Verifying: javadoc:1.0 - checking if /var/lib/jenkins/plugins/javadoc.jpi exists ... yes - checking if version matches 1.0 ... yes Verifying: javax-activation-api:1.2.0-2 - checking if /var/lib/jenkins/plugins/javax-activation-api.jpi exists ... yes - checking if version matches 1.2.0-2 ... yes Verifying: javax-mail-api:1.6.2-2 - checking if /var/lib/jenkins/plugins/javax-mail-api.jpi exists ... yes - checking if version matches 1.6.2-2 ... yes Verifying: jenkins-design-language:1.24.8 - checking if /var/lib/jenkins/plugins/jenkins-design-language.jpi exists ... yes - checking if version matches 1.24.8 ... yes Verifying: jira:3.7.1 - checking if /var/lib/jenkins/plugins/jira.jpi exists ... yes - checking if version matches 3.7.1 ... yes Verifying: job-dsl:1.77 - checking if /var/lib/jenkins/plugins/job-dsl.jpi exists ... yes - checking if version matches 1.77 ... yes Verifying: jquery3-api:3.6.0-2 - checking if /var/lib/jenkins/plugins/jquery3-api.jpi exists ... yes - checking if version matches 3.6.0-2 ... yes Verifying: jsch:0.1.55.2 - checking if /var/lib/jenkins/plugins/jsch.jpi exists ... yes - checking if version matches 0.1.55.2 ... yes Verifying: junit:1119.1121.vc43d0fc45561 - checking if /var/lib/jenkins/plugins/junit.jpi exists ... yes - checking if version matches 1119.1121.vc43d0fc45561 ... yes Verifying: kubernetes:1.31.0 - checking if /var/lib/jenkins/plugins/kubernetes.jpi exists ... yes - checking if version matches 1.31.0 ... yes Verifying: kubernetes-client-api:5.10.1-171.vaa0774fb8c20 - checking if /var/lib/jenkins/plugins/kubernetes-client-api.jpi exists ... yes - checking if version matches 5.10.1-171.vaa0774fb8c20 ... yes Verifying: kubernetes-credentials:0.9.0 - checking if /var/lib/jenkins/plugins/kubernetes-credentials.jpi exists ... yes - checking if version matches 0.9.0 ... yes Verifying: lockable-resources:2.11 - checking if /var/lib/jenkins/plugins/lockable-resources.jpi exists ... yes - checking if version matches 2.11 ... yes Verifying: mailer:408.vd726a_1130320 - checking if /var/lib/jenkins/plugins/mailer.jpi exists ... yes - checking if version matches 408.vd726a_1130320 ... yes Verifying: mapdb-api:1.0.9.0 - checking if /var/lib/jenkins/plugins/mapdb-api.jpi exists ... yes - checking if version matches 1.0.9.0 ... yes Verifying: matrix-auth:2.6.8 - checking if /var/lib/jenkins/plugins/matrix-auth.jpi exists ... yes - checking if version matches 2.6.8 ... yes Verifying: matrix-project:1.20 - checking if /var/lib/jenkins/plugins/matrix-project.jpi exists ... yes - checking if version matches 1.20 ... yes Verifying: maven-plugin:3.7 - checking if /var/lib/jenkins/plugins/maven-plugin.jpi exists ... yes - checking if version matches 3.7 ... yes Verifying: mercurial:2.16.2 - checking if /var/lib/jenkins/plugins/mercurial.jpi exists ... yes - checking if version matches 2.16.2 ... yes Verifying: metrics:4.0.2.8.1 - checking if /var/lib/jenkins/plugins/metrics.jpi exists ... yes - checking if version matches 4.0.2.8.1 ... yes Verifying: oauth-credentials:0.4 - checking if /var/lib/jenkins/plugins/oauth-credentials.jpi exists ... yes - checking if version matches 0.4 ... yes Verifying: okhttp-api:4.9.2-20211102 - checking if /var/lib/jenkins/plugins/okhttp-api.jpi exists ... yes - checking if version matches 4.9.2-20211102 ... yes Verifying: openshift-client:1.0.37 - checking if /var/lib/jenkins/plugins/openshift-client.jpi exists ... yes - checking if version matches 1.0.37 ... yes Verifying: openshift-login:1.0.27 - checking if /var/lib/jenkins/plugins/openshift-login.jpi exists ... yes - checking if version matches 1.0.27 ... yes Verifying: openshift-sync:1.0.53 - checking if /var/lib/jenkins/plugins/openshift-sync.jpi exists ... yes - checking if version matches 1.0.53 ... yes Verifying: pam-auth:1.6 - checking if /var/lib/jenkins/plugins/pam-auth.jpi exists ... yes - checking if version matches 1.6 ... yes Verifying: parameterized-trigger:2.43.1 - checking if /var/lib/jenkins/plugins/parameterized-trigger.jpi exists ... yes - checking if version matches 2.43.1 ... yes Verifying: pipeline-build-step:2.16 - checking if /var/lib/jenkins/plugins/pipeline-build-step.jpi exists ... yes - checking if version matches 2.16 ... yes Verifying: pipeline-graph-analysis:1.10 - checking if /var/lib/jenkins/plugins/pipeline-graph-analysis.jpi exists ... yes - checking if version matches 1.10 ... yes Verifying: pipeline-groovy-lib:589.vb_a_b_4a_a_8c443c - checking if /var/lib/jenkins/plugins/pipeline-groovy-lib.jpi exists ... yes - checking if version matches 589.vb_a_b_4a_a_8c443c ... yes Verifying: pipeline-input-step:449.v77f0e8b_845c4 - checking if /var/lib/jenkins/plugins/pipeline-input-step.jpi exists ... yes - checking if version matches 449.v77f0e8b_845c4 ... yes Verifying: pipeline-milestone-step:1.3.1 - checking if /var/lib/jenkins/plugins/pipeline-milestone-step.jpi exists ... yes - checking if version matches 1.3.1 ... yes Verifying: pipeline-model-api:1.9.3 - checking if /var/lib/jenkins/plugins/pipeline-model-api.jpi exists ... yes - checking if version matches 1.9.3 ... yes Verifying: pipeline-model-definition:1.8.4 - checking if /var/lib/jenkins/plugins/pipeline-model-definition.jpi exists ... yes - checking if version matches 1.8.4 ... yes Verifying: pipeline-model-extensions:1.9.3 - checking if /var/lib/jenkins/plugins/pipeline-model-extensions.jpi exists ... yes - checking if version matches 1.9.3 ... yes Verifying: pipeline-rest-api:2.15 - checking if /var/lib/jenkins/plugins/pipeline-rest-api.jpi exists ... yes - checking if version matches 2.15 ... yes Verifying: pipeline-stage-step:2.5 - checking if /var/lib/jenkins/plugins/pipeline-stage-step.jpi exists ... yes - checking if version matches 2.5 ... yes Verifying: pipeline-stage-tags-metadata:1.8.4 - checking if /var/lib/jenkins/plugins/pipeline-stage-tags-metadata.jpi exists ... yes - checking if version matches 1.8.4 ... yes Verifying: pipeline-utility-steps:2.12.0 - checking if /var/lib/jenkins/plugins/pipeline-utility-steps.jpi exists ... yes - checking if version matches 2.12.0 ... yes Verifying: plain-credentials:1.8 - checking if /var/lib/jenkins/plugins/plain-credentials.jpi exists ... yes - checking if version matches 1.8 ... yes Verifying: plugin-util-api:2.16.0 - checking if /var/lib/jenkins/plugins/plugin-util-api.jpi exists ... yes - checking if version matches 2.16.0 ... yes Verifying: popper2-api:2.11.2-1 - checking if /var/lib/jenkins/plugins/popper2-api.jpi exists ... yes - checking if version matches 2.11.2-1 ... yes Verifying: prometheus:2.0.10 - checking if /var/lib/jenkins/plugins/prometheus.jpi exists ... yes - checking if version matches 2.0.10 ... yes Verifying: pubsub-light:1.16 - checking if /var/lib/jenkins/plugins/pubsub-light.jpi exists ... yes - checking if version matches 1.16 ... yes Verifying: run-condition:1.3 - checking if /var/lib/jenkins/plugins/run-condition.jpi exists ... yes - checking if version matches 1.3 ... yes Verifying: scm-api:608.vfa_f971c5a_a_e9 - checking if /var/lib/jenkins/plugins/scm-api.jpi exists ... yes - checking if version matches 608.vfa_f971c5a_a_e9 ... yes Verifying: script-security:1175.v4b_d517d6db_f0 - checking if /var/lib/jenkins/plugins/script-security.jpi exists ... yes - checking if version matches 1175.v4b_d517d6db_f0 ... yes Verifying: snakeyaml-api:1.30.1 - checking if /var/lib/jenkins/plugins/snakeyaml-api.jpi exists ... yes - checking if version matches 1.30.1 ... yes Verifying: sse-gateway:1.24 - checking if /var/lib/jenkins/plugins/sse-gateway.jpi exists ... yes - checking if version matches 1.24 ... yes Verifying: ssh-credentials:1.19 - checking if /var/lib/jenkins/plugins/ssh-credentials.jpi exists ... yes - checking if version matches 1.19 ... yes Verifying: sshd:3.0.4 - checking if /var/lib/jenkins/plugins/sshd.jpi exists ... yes - checking if version matches 3.0.4 ... yes Verifying: structs:318.va_f3ccb_729b_71 - checking if /var/lib/jenkins/plugins/structs.jpi exists ... yes - checking if version matches 318.va_f3ccb_729b_71 ... yes Verifying: subversion:2.15.4 - checking if /var/lib/jenkins/plugins/subversion.jpi exists ... yes - checking if version matches 2.15.4 ... yes Verifying: token-macro:267.vcdaea6462991 - checking if /var/lib/jenkins/plugins/token-macro.jpi exists ... yes - checking if version matches 267.vcdaea6462991 ... yes Verifying: trilead-api:1.0.13 - checking if /var/lib/jenkins/plugins/trilead-api.jpi exists ... yes - checking if version matches 1.0.13 ... yes Verifying: variant:1.4 - checking if /var/lib/jenkins/plugins/variant.jpi exists ... yes - checking if version matches 1.4 ... yes Verifying: workflow-api:1182.v41475e53ea_43 - checking if /var/lib/jenkins/plugins/workflow-api.jpi exists ... yes - checking if version matches 1182.v41475e53ea_43 ... yes Verifying: workflow-basic-steps:2.20 - checking if /var/lib/jenkins/plugins/workflow-basic-steps.jpi exists ... yes - checking if version matches 2.20 ... yes Verifying: workflow-cps:2759.v87459c4eea_ca_ - checking if /var/lib/jenkins/plugins/workflow-cps.jpi exists ... yes - checking if version matches 2759.v87459c4eea_ca_ ... yes Verifying: workflow-cps-global-lib:588.v576c103a_ff86 - checking if /var/lib/jenkins/plugins/workflow-cps-global-lib.jpi exists ... yes - checking if version matches 588.v576c103a_ff86 ... yes Verifying: workflow-durable-task-step:2.35 - checking if /var/lib/jenkins/plugins/workflow-durable-task-step.jpi exists ... yes - checking if version matches 2.35 ... yes Verifying: workflow-job:2.41 - checking if /var/lib/jenkins/plugins/workflow-job.jpi exists ... yes - checking if version matches 2.41 ... yes Verifying: workflow-multibranch:711.vdfef37cda_816 - checking if /var/lib/jenkins/plugins/workflow-multibranch.jpi exists ... yes - checking if version matches 711.vdfef37cda_816 ... yes Verifying: workflow-scm-step:400.v6b_89a_1317c9a_ - checking if /var/lib/jenkins/plugins/workflow-scm-step.jpi exists ... yes - checking if version matches 400.v6b_89a_1317c9a_ ... yes Verifying: workflow-step-api:639.v6eca_cd8c04a_a_ - checking if /var/lib/jenkins/plugins/workflow-step-api.jpi exists ... yes - checking if version matches 639.v6eca_cd8c04a_a_ ... yes Verifying: workflow-support:820.vd1a_6cc65ef33 - checking if /var/lib/jenkins/plugins/workflow-support.jpi exists ... yes - checking if version matches 820.vd1a_6cc65ef33 ... yes Verifying Jenkins Version: - checking if version matches 2.361.1 ... yes All tests succeeded!
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2022:9110 https://access.redhat.com/errata/RHSA-2022:9110
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2023:0017 https://access.redhat.com/errata/RHSA-2023:0017