CVE-2022-34181
First published: Wed Jun 22 2022(Updated: )
Jenkins xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn't exist, and parsing files inside it as test results, allowing attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test results from existing files in an attacker-specified directory.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Xunit | <=3.0.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2022-34181?
CVE-2022-34181 is considered a high severity vulnerability due to its potential for remote code execution.
How do I fix CVE-2022-34181?
To fix CVE-2022-34181, update the Jenkins xUnit Plugin to version 3.0.9 or later.
What is the potential impact of CVE-2022-34181?
The potential impact of CVE-2022-34181 includes unauthorized directory creation on the Jenkins controller, leading to possible malicious activity.
Who is affected by CVE-2022-34181?
CVE-2022-34181 affects users of Jenkins xUnit Plugin versions 3.0.8 and earlier.
What action should I take if I cannot upgrade to fix CVE-2022-34181?
If upgrading is not possible, consider implementing strict access controls to limit agent process capabilities as a temporary mitigation for CVE-2022-34181.
- collector/nvd-index
- collector/nvd-api
- agent/author
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- agent/tags
- agent/references
- agent/weakness
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- vendor/jenkins
- canonical/jenkins xunit
- version/jenkins xunit/3.0.8