CVE-2022-45381: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

November 16, 2022 (updated November 21, 2022)

Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the ‘file:’ prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.

References

github.com/advisories/GHSA-3g9q-cmgv-g4p6
nvd.nist.gov/vuln/detail/CVE-2022-45381
www.jenkins.io/security/advisory/2022-11-15/

Detect and mitigate CVE-2022-45381 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →