Login Sign Up

CVE-2022-36889

8.8 HIGH
Path Traversal

📋 TL;DR

This vulnerability in Jenkins Deployer Framework Plugin allows attackers with Item/Configure permission to upload arbitrary files from the Jenkins controller file system to deployment services. It enables file system access and potential remote code execution. Users of Jenkins with the vulnerable plugin are affected.

💻 Affected Systems

Products:
  • Jenkins Deployer Framework Plugin
Versions: 85.v1d1888e8c021 and earlier
Operating Systems: All platforms running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Jenkins with the vulnerable plugin installed and users with Item/Configure permission.

📦 What is this software?

Deployer Framework by Jenkins

View all CVEs affecting Deployer Framework →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers achieve remote code execution on Jenkins controller, potentially compromising the entire CI/CD pipeline and sensitive data.

🟠

Likely Case

Attackers exfiltrate sensitive files from Jenkins controller or deploy malicious artifacts to production services.

🟢

If Mitigated

Limited to authorized users with Item/Configure permission, reducing exposure scope.

🌐 Internet-Facing: HIGH if Jenkins is internet-facing and plugin is installed.
🏢 Internal Only: MEDIUM as it requires authenticated access but could be exploited by malicious insiders.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires Item/Configure permission but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 86.v1d1888e8c021 or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2022-07-27/#SECURITY-2764

Restart Required: Yes

Instructions:

1. Update Jenkins Deployer Framework Plugin to version 86.v1d1888e8c021 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update.

🔧 Temporary Workarounds

Remove Item/Configure permission

all

Restrict Item/Configure permission to trusted users only to limit attack surface.

Uninstall vulnerable plugin

all

Remove the Deployer Framework Plugin if not required for operations.

🧯 If You Can't Patch

  • Implement strict access controls to limit users with Item/Configure permission.
  • Monitor file upload activities and Jenkins controller file system for unauthorized changes.

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for Deployer Framework Plugin version. If version is 85.v1d1888e8c021 or earlier, system is vulnerable.

Check Version:

Check via Jenkins web UI: Manage Jenkins > Plugin Manager > Installed plugins, or check $JENKINS_HOME/plugins/deployer-framework/META-INF/MANIFEST.MF

Verify Fix Applied:

Verify plugin version is 86.v1d1888e8c021 or later in Jenkins plugin manager.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file upload activities in Jenkins logs
  • Deployment configuration changes by unauthorized users

Network Indicators:

  • Unexpected file transfers from Jenkins controller to deployment targets

SIEM Query:

source="jenkins.log" AND ("deployer-framework" OR "file upload") AND (status="FAILURE" OR user NOT IN ["trusted_users"])

📊 Metadata

CVE ID: CVE-2022-36889
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: July 27, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-36889, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)