CVE-2022-25188
Description
Jenkins Fortify Plugin 20.2.34 and earlier fails to sanitize appName and appVersion parameters, letting attackers with Item/Configure permission write arbitrary .xml files to the controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Fortify Plugin 20.2.34 and earlier fails to sanitize appName and appVersion parameters, letting attackers with Item/Configure permission write arbitrary .xml files to the controller file system.
Vulnerability
Jenkins Fortify Plugin version 20.2.34 and earlier does not sanitize the appName and appVersion parameters of its Pipeline steps. This allows attackers with Item/Configure permission to write or overwrite .xml files on the Jenkins controller file system, though the content of those files is not directly controllable by the attacker. The vulnerability is identified as CVE-2022-25188 and affects all releases up to and including 20.2.34 [1][2].
Exploitation
An attacker must have Item/Configure permission for a Jenkins job to exploit this vulnerability. The attacker can supply crafted values for the appName and appVersion parameters in a Pipeline step, causing the plugin to write or overwrite an .xml file at a path the attacker specifies on the controller file system. The content written is determined by the plugin and not arbitrary, limiting the attacker to pre-defined XML structures [1][3].
Impact
Successful exploitation results in the ability to write or overwrite arbitrary .xml files on the Jenkins controller file system. This could lead to a variety of attacks, such as overwriting configuration files to alter Jenkins behavior, though the attacker cannot control the full content of the files. The impact is considered to be of moderate severity, with potential consequences including information disclosure or denial of service depending on which files are overwritten [1][3].
Mitigation
Jenkins Fortify Plugin version 20.2.35, released on 2022-02-15, fixes this issue by properly sanitizing the appName and appVersion parameters. Users are strongly advised to upgrade to this version or later. There is no known workaround available in earlier versions [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:fortifyMaven | < 20.2.35 | 20.2.35 |
Affected products
2- Range: unspecified
Patches
1ba3030cb63bbStatistics file name sanitizing
1 file changed · +4 −1
src/main/java/com/fortify/plugin/jenkins/FPRSummary.java+4 −1 modified@@ -25,6 +25,7 @@ import com.thoughtworks.xstream.XStream; import hudson.FilePath; +import hudson.Util; import hudson.XmlFile; import hudson.util.XStream2; @@ -53,7 +54,9 @@ private String buildFilename(String appName, String appVersion) { filename += "-" + appVersion; } filename += FILE_EXTENSION; - return filename; + //both appName and appVersion come from user input, so we must sanitize + String sanitizedFilename = Util.rawEncode(filename); + return sanitizedFilename; } public void load(File parent, String appName, String appVersion) throws IOException {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-23h5-8ph6-7rfcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25188ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/02/15/2ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/fortify-plugin/commit/ba3030cb63bb86b6bb13342664e0e319f2fee374ghsaWEB
- www.jenkins.io/security/advisory/2022-02-15/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-02-15Jenkins Security Advisories · Feb 15, 2022