Arbitrary File Read Vulnerability in Jenkins Config Rotator Plugin

Arbitrary File Read Vulnerability in Jenkins Config Rotator Plugin

CVE-2022-45388 · HIGH Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Jenkins Config Rotator Plugin 2.0.1 and earlier does not restrict a file name query parameter in an HTTP endpoint, allowing unauthenticated attackers to read arbitrary files with '.xml' extension on the Jenkins controller file system.

Learn more about our Web Application Penetration Testing UK.