CVE-2022-41235
Description
Jenkins WildFly Deployer Plugin 1.0.2 and earlier implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WildFly Deployer Plugin 1.0.2 and earlier allows agents to read arbitrary files on the Jenkins controller, enabling information disclosure.
Root
Cause
The WildFly Deployer Plugin implements functionality that allows agent processes to read arbitrary files on the Jenkins controller file system [1][2]. This is due to insufficient access control in the plugin's code, which does not properly restrict file read operations initiated from agents.
Exploitation
An attacker with the ability to execute code on a Jenkins agent (e.g., via malicious agent registration or compromised agent) can exploit this vulnerability to read any file on the controller. No authentication on the agent side is required beyond being able to run builds.
Impact
Successful exploitation allows an attacker to read sensitive files, such as credentials stored in Jenkins secrets, configuration files, or arbitrary data, leading to complete compromise of the Jenkins instance.
Mitigation
As of the advisory date, version 1.0.2 and earlier are affected. The plugin has not released a fixed version; users should disable the plugin or restrict agent-to-controller file access using Jenkins security settings until a patch is available [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:wildfly-deployerMaven | <= 1.0.2 | — |
Affected products
3- Range: <=1.0.2
- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-f7fq-wp2x-jc25ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-41235ghsaADVISORY
- www.jenkins.io/security/advisory/2022-09-21/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-09-21Jenkins Security Advisories · Sep 21, 2022