CVE-2022-23107

Summary

Jenkins Warnings Next Generation Plugin 9.10.2 and earlier does not restrict the name of a file when configuring custom ID, allowing attackers with Item/Configure permission to write and read specific files with a hard-coded suffix on the Jenkins controller file system.

Affected Software

VendorProductVersion RangeStatus
Jenkins projectJenkins Warnings Next Generation Pluginunspecified <= 9.10.2affected
Jenkins projectJenkins Warnings Next Generation Plugin9.0.2unaffected
Jenkins projectJenkins Warnings Next Generation Plugin9.5.2unaffected
Jenkins projectJenkins Warnings Next Generation Plugin9.7.1unaffected

Weaknesses

ADP Enrichment

CVE Program Container

Additional References

References