CVE-2022-36889
Description
Jenkins Deployer Framework Plugin ≤85.v1d1888e8c021 allows attackers with Item/Configure permission to upload arbitrary files from the controller to a service due to unrestricted application path.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Deployer Framework Plugin ≤85.v1d1888e8c021 allows attackers with Item/Configure permission to upload arbitrary files from the controller to a service due to unrestricted application path.
Vulnerability
Details
The Jenkins Deployer Framework Plugin, versions 85.v1d1888e8c021 and earlier, fails to restrict the application path when configuring a deployment [1][3]. This allows an attacker to specify an arbitrary file path on the Jenkins controller's file system as the application to deploy. The plugin then uploads the contents of that file to the selected deployment service without validation.
Exploitation
To exploit this vulnerability, an attacker must have the Item/Configure permission for a Jenkins job that uses the Deployer Framework Plugin [1]. No other authentication bypass is required. The attacker can set the application path to any file readable by the Jenkins controller process, such as configuration files, credentials, or other sensitive data. The file is then transmitted to the configured deployment service (e.g., a remote server or cloud platform).
Impact
Successful exploitation allows an attacker to exfiltrate arbitrary files from the Jenkins controller to an external service under their control or to a service they can monitor [3]. This can lead to disclosure of secrets, credentials, and other sensitive information stored on the controller. In some scenarios, the attacker might also upload malicious files to a target service, potentially enabling further compromise.
Mitigation
The vulnerability is fixed in Deployer Framework Plugin version 86.v7b_a_4a_55b_f3ec [2]. Users should upgrade to this version or later as soon as possible. No workaround is documented. The plugin is available from the Jenkins update center or its GitHub repository [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:deployer-frameworkMaven | < 86.v7b_a_4a_55b_f3ec | 86.v7b_a_4a_55b_f3ec |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-j5qq-6rpm-qjghghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36889ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/07/27/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-07-27/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.