CVE-2022-34181 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2022-34181

CVE-2022-34181

June 22, 2022

Jenkins xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn't exist, and parsing files inside it as test results, allowing attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test results from existing files in an attacker-specified directory.

Affected Packages

org.jenkins-ci.plugins:xunit (JAVA):

Affected version(s) >=1.22 <3.1.0

Fix Suggestion:

Update to version 3.1.0

Related Resources (4)

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2549

https://github.com/jenkinsci/xunit-plugin/commit/6976b5da114845a7936ea36d5783a65cd91f9897

https://nvd.nist.gov/vuln/detail/CVE-2022-34181

https://github.com/jenkinsci/xunit-plugin

Do you need more information?

CVSS v4

Base Score:

9.3

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

CVSS v2

Base Score:

6.4

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

Weakness Type (CWE)

Protection Mechanism Failure

CWE-693

EPSS

Base Score:

1.34

Products

Solutions

Resources

Company

Compare

Developer Tools