Note that this issue does not affect Jenkins installations that have explicitly disabled the 'file:' prefix interpolator, or installations that have disabled the 'file:' interpolator through configuration options.
This issue was addressed by upgrading Apache Commons Configuration to version 1.3.0, which was released in June 2018. Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier, when installed on a system with Apache Commons Configuration version 1.2.5 or earlier, is vulnerable to a privilege escalation due to the 'file:' prefix interpolator. Note that this issue does not affect Jenkins installations that have explicitly disabled the 'file:' prefix interpolator, or installations that have disabled the 'file:' interpolator through configuration options.
^^
This issue was addressed by upgrading Apache Commons Configuration to version 1.3.0, which was released in June 2018. Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier, when installed on a system with Apache Commons Configuration version 1.2.5 or earlier, is vulnerable to a privilege escalation due to the 'file:' prefix interpolator. Note that this issue does not affect Jenkins installations that have explicitly disabled the 'file:' prefix interpolator, or installations that have disabled the 'file:' interpolator through configuration options.
Check for Jenkins installations that are vulnerable to this issue
The following command lists all installations of Jenkins that are vulnerable to this issue:
$ curl -s https://updates.jenkins-ci.org/downloads/latest | grep "Apache Commons Configuration"
Jenkins Pipelines Utility Steps plugin 2.13.1 and earlier is vulnerable to privilege escalation due to a design error in Apache Commons Configuration version 1.2.5 and earlier, which caused the pipeline steps plugin to use the 'file:' prefix interpolator. This vulnerability is addressed by upgrading to Apache Commons Configuration version 1.3.0, released on June 18th 2018
Cause
The vulnerability is caused when Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier, when installed on a system with Apache Commons Configuration version 1.2.5 or earlier, does not sufficiently validate the path parameter of the 'file:' prefix interpolator via the Jenkins pipeline configuration file (job.xml).
Description of the issue
The Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier, when installed on a system with Apache Commons Configuration version 1.2.5 or earlier, is vulnerable to a privilege escalation due to the 'file:' prefix interpolator.
CVE-2018-8015 - Apache Commons Configuration Vulnerability
A vulnerability in Apache Commons Configuration version 1.2.5 and earlier, when installed on a system with Jenkins Pipeline Utility Steps Plugin 2.13.1 or earlier, allows a malicious user to escalate privileges to root by using the 'file:' prefix interpolator to execute arbitrary commands as root.
Timeline
Published on: 11/15/2022 20:15:00 UTC
Last modified on: 11/29/2022 14:19:00 UTC