Path traversal in Pipeline Utility Steps

#VU76236 Path traversal in Pipeline Utility Steps

Published: 2023-05-17

Vulnerability identifier: #VU76236

Vulnerability risk: Medium

CVSSv3.1: 5.5 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-32981

CWE-ID: CWE-22

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pipeline Utility Steps
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote user can send a specially crafted HTTP request and create or replace arbitrary files on the system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Pipeline Utility Steps: 2.0 - 2.15.2

External links
http://jenkins.io/security/advisory/2023-05-16/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in OpenShift Container Platform 4.10

OpenShift Developer Tools and Services for OCP 4.11 update for jenkins and jenkins-2-plugins

OpenShift Developer Tools and Services for OCP 4.12 update for jenkins and jenkins-2-plugins

Path traversal in Jenkins Pipeline Utility Steps plugin