6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36889

GHSA ID

GHSA-j5qq-6rpm-qjgh

EPSS Score

0.4365%

CWE

CWE-22

Published

7/28/2022

Updated

2/2/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-36889

CVE-2022-36889:
Jenkins Deployer Framework Plugin does not restrict application path of applications when configuring a deployment

Jenkins Deployer Framework Plugin 85.v1d1888e8c021 and earlier does not restrict the application path of the applications when configuring a deployment, allowing attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller file system to the selected service.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-36889

GHSA ID

GHSA-j5qq-6rpm-qjgh

EPSS Score

0.4365%

CWE

CWE-22

Published

7/28/2022

Updated

2/2/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:deployer-framework	maven	<= 85.v1d1888e8c021	86.v7b_a_4a_55b_f3ec

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper path validation during deployment configuration. Key indicators:

The advisory explicitly states the plugin didn't restrict application paths during deployment setup.
The CWE-22 classification confirms this is a path traversal issue.
The patched version added restrictions to only allow build artifacts, implying the original implementation lacked path validation.
Jenkins plugin patterns suggest deployment logic would be in Deployer classes, and form validation in Descriptor classes.
The 'Item/Configure' permission requirement aligns with these being configuration-related functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins **ploy*r *r*m*work Plu*in **.v************ *n* **rli*r *o*s not r*stri*t t** *ppli**tion p*t* o* t** *ppli**tions w**n *on*i*urin* * **ploym*nt, *llowin* *tt**k*rs wit* It*m/*on*i*ur* p*rmission to uplo** *r*itr*ry *il*s *rom t** J*nkins *ont

Reasoning

T** vuln*r**ility st*ms *rom improp*r p*t* v*li**tion *urin* **ploym*nt *on*i*ur*tion. K*y in*i**tors: *. T** **visory *xpli*itly st*t*s t** plu*in *i*n't r*stri*t *ppli**tion p*t*s *urin* **ploym*nt s*tup. *. T** *W*-** *l*ssi*i**tion *on*irms t*is

6.5

Basic Information

Concerned about an active attack path?

CVE-2022-36889: Jenkins Deployer Framework Plugin does not restrict application path of applications when configuring a deployment

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-36889:
Jenkins Deployer Framework Plugin does not restrict application path of applications when configuring a deployment

Vulnerability Intelligence
Miggo AI