Miggo Logo

CVE-2022-45388: Jenkins Config Rotator Plugin vulnerable to path traversal

7.5

CVSS Score
3.1

Basic Information

EPSS Score
0.44295%
Published
11/16/2022
Updated
11/5/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.main:config-rotatormaven<= 2.0.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from an unauthenticated HTTP endpoint that accepts a file name parameter without restricting path traversal characters. The plugin's failure to validate/sanitize this parameter allows attackers to escape the intended directory and read .xml files. While the exact function name isn't provided in advisories, Jenkins plugins typically implement HTTP endpoints via servlet classes with methods like doGet/doPost. The confidence is high because the advisory explicitly states the lack of parameter validation in an HTTP endpoint as the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *on*i* Rot*tor Plu*in *.*.* *n* **rli*r *o*s not r*stri*t * *il* n*m* qu*ry p*r*m*t*r in *n *TTP *n*point, *llowin* un*ut**nti**t** *tt**k*rs to r*** *r*itr*ry *il*s wit* '.xml' *xt*nsion on t** J*nkins *ontroll*r *il* syst*m. *urr*ntly t**r*

Reasoning

T** vuln*r**ility st*ms *rom *n un*ut**nti**t** *TTP *n*point t**t ****pts * *il* n*m* p*r*m*t*r wit*out r*stri*tin* p*t* tr*v*rs*l ***r**t*rs. T** plu*in's **ilur* to v*li**t*/s*nitiz* t*is p*r*m*t*r *llows *tt**k*rs to *s**p* t** int*n*** *ir**tory