CVE-2022-27203

Vulnerability

Jenkins Extended Choice Parameter Plugin versions 346.vd87693c5a_86c and earlier contain a path traversal vulnerability that allows attackers with Item/Configure permission to read arbitrary files. The plugin fails to validate the user-specified file path when loading choices from JSON or Java properties files, enabling unauthorized file reads on the Jenkins controller file system [1][3].

Exploitation

An attacker needs Item/Configure permission on a Jenkins job (or pipeline). No authentication bypass is required; the attacker can modify the job's configuration to set a malicious file path, causing the plugin to read the contents of any JSON or .properties file on the controller. No user interaction is needed beyond the attacker's own configuration changes [1].

Impact

Successful exploitation results in the disclosure of sensitive information from files on the Jenkins controller, such as credentials stored in configuration files, secrets, or other confidential data. The attacker reads file contents but cannot write or modify files; the impact is limited to information disclosure with high confidentiality loss [3].

Mitigation

As of the advisory publication (2022-03-15), no fixed version of the Extended Choice Parameter Plugin was available. The advisory lists the plugin as an unresolved security issue [1][2]. Users should restrict Item/Configure permission to trusted users, consider removing the plugin if not needed, or monitor for a security release. No workaround within the plugin itself exists [1][2].