CVE-2022-36890
Description
Jenkins Deployer Framework Plugin fails to restrict file names in form validation, allowing Item/Read users to check file existence on the controller.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Deployer Framework Plugin fails to restrict file names in form validation, allowing Item/Read users to check file existence on the controller.
Vulnerability
The Jenkins Deployer Framework Plugin, versions 85.v1d1888e8c021 and earlier, does not validate or restrict the name of files used in methods that implement form validation. This lack of input sanitization allows an attacker to specify arbitrary file paths in these validation requests [1].
Exploitation
An attacker must have at least Item/Read permission to exploit this vulnerability. By crafting a request with a malicious file path, the attacker can send a form validation method that checks for the existence of that file on the Jenkins controller's file system. The plugin's response reveals whether the file exists or not [1][2].
Impact
Successful exploitation enables an attacker to enumerate files on the Jenkins controller, potentially discovering sensitive files such as credentials, configuration files, or other secrets. While it does not allow reading file contents, the existence check itself can aid in further attacks or reconnaissance [1].
Mitigation
The vulnerability is fixed in Deployer Framework Plugin version 86.v7b_a_4a_55b_f3ec and later. Users should upgrade to this version immediately. No workarounds are available if the plugin cannot be updated [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:deployer-frameworkMaven | < 86.v7b_a_4a_55b_f3ec | 86.v7b_a_4a_55b_f3ec |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-hgp9-2c4w-x9mhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-36890ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/07/27/1ghsamailing-listx_refsource_MLISTWEB
- www.jenkins.io/security/advisory/2022-07-27/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.