CVE-2022-29049

low-risk
Published 2022-04-12

Jenkins promoted builds Plugin 873.v6149db_d64130 and earlier, except 3.10.1, does not validate the names of promotions defined in Job DSL, allowing attackers with Job/Configure permission to create a promotion with an unsafe name.

Do I need to act?

-
0.11% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
5
CVSS 5.4/10 Medium
NETWORK / LOW complexity

Affected Products (1)

Promoted Builds

Affected Vendors

Jenkins

References (2)

Vendor Advisory https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2655
Vendor Advisory https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-2655
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal