CVE-2022-25188: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

February 15, 2022 (updated November 30, 2023)

Jenkins Fortify Plugin 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps, allowing attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system with content not controllable by the attacker.

References

www.openwall.com/lists/oss-security/2022/02/15/2
nvd.nist.gov/vuln/detail/CVE-2022-25188
www.jenkins.io/security/advisory/2022-02-15/

Code Behaviors & Features

Detect and mitigate CVE-2022-25188 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →