CVE-2022-36890: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

July 27, 2022 (updated November 22, 2023)

Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the name of files in methods implementing form validation, allowing attackers with Item/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.

References

www.openwall.com/lists/oss-security/2022/07/27/1
nvd.nist.gov/vuln/detail/CVE-2022-36890
www.jenkins.io/security/advisory/2022-07-27/

Detect and mitigate CVE-2022-36890 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →