CVE-2022-45381 Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier doesn't restrict the set of enabled prefix interpolators and bundles and allows attackers to download and execute arbitrary code.

Note that this issue does not affect Jenkins installations that have explicitly disabled the 'file:' prefix interpolator, or installations that have disabled the 'file:' interpolator through configuration options.

This issue was addressed by upgrading Apache Commons Configuration to version 1.3.0, which was released in June 2018. Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier, when installed on a system with Apache Commons Configuration version 1.2.5 or earlier, is vulnerable to a privilege escalation due to the 'file:' prefix interpolator. Note that this issue does not affect Jenkins installations that have explicitly disabled the 'file:' prefix interpolator, or installations that have disabled the 'file:' interpolator through configuration options.

^^

This issue was addressed by upgrading Apache Commons Configuration to version 1.3.0, which was released in June 2018. Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier, when installed on a system with Apache Commons Configuration version 1.2.5 or earlier, is vulnerable to a privilege escalation due to the 'file:' prefix interpolator. Note that this issue does not affect Jenkins installations that have explicitly disabled the 'file:' prefix interpolator, or installations that have disabled the 'file:' interpolator through configuration options.

Check for Jenkins installations that are vulnerable to this issue

The following command lists all installations of Jenkins that are vulnerable to this issue:
$ curl -s https://updates.jenkins-ci.org/downloads/latest | grep "Apache Commons Configuration"

Jenkins Pipelines Utility Steps plugin 2.13.1 and earlier is vulnerable to privilege escalation due to a design error in Apache Commons Configuration version 1.2.5 and earlier, which caused the pipeline steps plugin to use the 'file:' prefix interpolator. This vulnerability is addressed by upgrading to Apache Commons Configuration version 1.3.0, released on June 18th 2018

Cause

The vulnerability is caused when Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier, when installed on a system with Apache Commons Configuration version 1.2.5 or earlier, does not sufficiently validate the path parameter of the 'file:' prefix interpolator via the Jenkins pipeline configuration file (job.xml).

Description of the issue

The Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier, when installed on a system with Apache Commons Configuration version 1.2.5 or earlier, is vulnerable to a privilege escalation due to the 'file:' prefix interpolator.

CVE-2018-8015 - Apache Commons Configuration Vulnerability

A vulnerability in Apache Commons Configuration version 1.2.5 and earlier, when installed on a system with Jenkins Pipeline Utility Steps Plugin 2.13.1 or earlier, allows a malicious user to escalate privileges to root by using the 'file:' prefix interpolator to execute arbitrary commands as root.

Timeline

Published on: 11/15/2022 20:15:00 UTC
Last modified on: 11/29/2022 14:19:00 UTC

References

• https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-45381