CVE-2022-23107
Description
Jenkins Warnings Next Generation Plugin 9.10.2 and earlier lets users with Item/Configure permission write/read arbitrary files (with hard-coded suffix) on the controller.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Warnings Next Generation Plugin 9.10.2 and earlier lets users with Item/Configure permission write/read arbitrary files (with hard-coded suffix) on the controller.
Vulnerability
Jenkins Warnings Next Generation Plugin versions 9.10.2 and earlier contain a path traversal vulnerability in the custom ID configuration for tools. When configuring a tool, users can set a custom ID that is used to generate a file name on the Jenkins controller file system. The plugin appends a hard-coded suffix (e.g., .xml or similar) but does not validate or sanitize the ID input. This allows an attacker to specify a name that includes directory traversal sequences (../) or arbitrary paths, resulting in the creation or reading of files outside the intended directory. [1][2]
Exploitation
An attacker must have the Item/Configure permission on a Jenkins job. By editing the configuration of a tool within a job (e.g., a static analysis tool), the attacker can set the custom ID field to a malicious path, such as ../../somefile. When the plugin writes or reads the file associated with that tool, it will use the attacker-controlled path combined with the fixed suffix. No additional authentication or user interaction is required beyond the initial configuration. The attack can be performed directly from the Jenkins web UI. [1]
Impact
Successful exploitation allows the attacker to write arbitrary files (with the hard-coded suffix) or read arbitrary files (also with the suffix) on the Jenkins controller file system. The file contents are partially controlled: the written content is the tool's configuration data, and the read content is the file's contents. This can lead to disclosure of sensitive information (e.g., credentials stored in configuration files) or, by overwriting critical files, may allow privilege escalation to remote code execution. The attacker gains the ability to affect files outside the plugin's intended scope. [1]
Mitigation
The vulnerability is fixed in Warnings Next Generation Plugin version 9.10.3, released on January 12, 2022. Users should upgrade to 9.10.3 or later. No workaround is provided in the advisory. The plugin is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog. [1][2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:warnings-ngMaven | >= 9.8.0, < 9.10.3 | 9.10.3 |
io.jenkins.plugins:warnings-ngMaven | >= 9.6.0, < 9.7.1 | 9.7.1 |
io.jenkins.plugins:warnings-ngMaven | >= 9.1.0, < 9.5.2 | 9.5.2 |
io.jenkins.plugins:warnings-ngMaven | < 9.0.2 | 9.0.2 |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-rvh4-g2rj-hr9cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-23107ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/12/6ghsamailing-listx_refsource_MLISTWEB
- github.com/CVEProject/cvelist/blob/36f932156733baab1b13868be4338de406a1dec7/2022/23xxx/CVE-2022-23107.jsonghsaWEB
- github.com/jenkinsci/warnings-ng-plugin/releases/tag/v9.10.3ghsaWEB
- www.jenkins.io/security/advisory/2022-01-12/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-01-12Jenkins Security Advisories · Jan 12, 2022