CVE-2022-34181 — Agent-to-controller security bypass in Jenkins xUnit Plugin

Description

xUnit Plugin 3.0.8 and earlier implements an agent-to-controller message that creates a user-specified directory if it doesn’t exist, and parsing files inside it as test results. This allows attackers able to control agent processes to create an arbitrary directory on the Jenkins controller or to obtain test results from existing files in an attacker-specified directory. xUnit Plugin 3.1.0 changes the message type from agent-to-controller to controller-to-agent, preventing execution on the controller.

How to fix CVE-2022-34181

To remediate CVE-2022-34181, upgrade the affected package to a fixed version below.

—upgrade to 3.1.0 or later

Is CVE-2022-34181 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-34181
PATCHgithub.com/jenkinsci/xunit-plugin
WEBgithub.com/jenkinsci/xunit-plugin/commit/6976b5da114845a7936ea36d5783a65cd91f9897
WEBwww.jenkins.io/security/advisory/2022-06-22/#SECURITY-2549