CVE-2022-41237

Vulnerability

Details

The Jenkins DotCi Plugin (versions 2.40.00 and earlier) processes YAML configuration files (.ci.yml) using a YAML parser that is not configured to restrict the instantiation of arbitrary types. This insecure deserialization flaw allows an attacker to craft malicious YAML input that, when parsed, instantiates arbitrary Java classes, leading to remote code execution [1][2].

Exploitation

An attacker who can supply a specially crafted .ci.yml file—for example, by submitting a pull request or modifying a repository’s configuration—can trigger the vulnerability. No authentication is required if the plugin processes user-supplied YAML without proper validation. The attack surface is the plugin’s YAML parsing functionality, which does not employ a safe constructor or whitelist of allowed types [1].

Impact

Successful exploitation enables remote code execution on the Jenkins controller. An attacker could gain full control over the Jenkins instance, access stored secrets, modify builds, pivot to connected systems, and compromise the integrity and confidentiality of the CI/CD pipeline [1][2].

Mitigation

As of the advisory publication date (2022-09-21), no fix was available from the plugin maintainer. The Jenkins security team suspended the plugin from the update center and recommends that administrators remove or disable the DotCi Plugin to mitigate the risk [1][3].