VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-5jjh-qcnz-mye7

Essentials
Severities (29)
References (11)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-5jjh-qcnz-mye7
Aliases	CVE-2022-45381 GHSA-3g9q-cmgv-g4p6
Summary	Arbitrary file read vulnerability in Jenkins Pipeline Utility Steps Plugin Pipeline Utility Steps Plugin implements a `readProperties` Pipeline step that supports interpolation of variables using the Apache Commons Configuration library. Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of this library that enable the `file:` prefix interpolator by default. This allows attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system. Pipeline Utility Steps Plugin 2.13.2 restricts the set of prefix interpolators enabled by default to `base64Decoder:`, `base64Encoder:`, `date:`, `urlDecoder:`, and `urlEncoder:`. Administrators can set the [Java system property](https://www.jenkins.io/doc/book/managing/system-properties/) `org.jenkinsci.plugins.pipeline.utility.steps.conf.ReadPropertiesStepExecution.CUSTOM_PREFIX_INTERPOLATOR_LOOKUPS` to customize which prefix interpolators are enabled.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	8.1	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-45381.json
epss	0.00274	https://api.first.org/data/v1/epss?cve=CVE-2022-45381
epss	0.00274	https://api.first.org/data/v1/epss?cve=CVE-2022-45381
epss	0.00274	https://api.first.org/data/v1/epss?cve=CVE-2022-45381
epss	0.00274	https://api.first.org/data/v1/epss?cve=CVE-2022-45381
epss	0.00274	https://api.first.org/data/v1/epss?cve=CVE-2022-45381
epss	0.00274	https://api.first.org/data/v1/epss?cve=CVE-2022-45381
epss	0.00274	https://api.first.org/data/v1/epss?cve=CVE-2022-45381
epss	0.00274	https://api.first.org/data/v1/epss?cve=CVE-2022-45381
epss	0.00291	https://api.first.org/data/v1/epss?cve=CVE-2022-45381
epss	0.00291	https://api.first.org/data/v1/epss?cve=CVE-2022-45381
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2022-45381
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2022-45381
epss	0.0031	https://api.first.org/data/v1/epss?cve=CVE-2022-45381
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-3g9q-cmgv-g4p6
cvssv3.1	7.5	https://github.com/jenkinsci/pipeline-utility-steps-plugin
generic_textual	HIGH	https://github.com/jenkinsci/pipeline-utility-steps-plugin
cvssv3.1	7.5	https://github.com/jenkinsci/pipeline-utility-steps-plugin/commit/01be8ac0045027128fc1e9cf3a8b0709d08291ea
generic_textual	HIGH	https://github.com/jenkinsci/pipeline-utility-steps-plugin/commit/01be8ac0045027128fc1e9cf3a8b0709d08291ea
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2022-45381
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2022-45381
cvssv3.1	7.5	https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949
cvssv3.1	8.1	https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949
generic_textual	HIGH	https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949
ssvc	Track	https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949
cvssv3.1	7.5	http://www.openwall.com/lists/oss-security/2022/11/15/4
cvssv3.1	8.1	http://www.openwall.com/lists/oss-security/2022/11/15/4
generic_textual	HIGH	http://www.openwall.com/lists/oss-security/2022/11/15/4
ssvc	Track	http://www.openwall.com/lists/oss-security/2022/11/15/4

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-45381.json
		https://api.first.org/data/v1/epss?cve=CVE-2022-45381
		https://github.com/jenkinsci/pipeline-utility-steps-plugin
		https://github.com/jenkinsci/pipeline-utility-steps-plugin/commit/01be8ac0045027128fc1e9cf3a8b0709d08291ea
		https://nvd.nist.gov/vuln/detail/CVE-2022-45381
		https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949
		http://www.openwall.com/lists/oss-security/2022/11/15/4
2143089		https://bugzilla.redhat.com/show_bug.cgi?id=2143089
GHSA-3g9q-cmgv-g4p6		https://github.com/advisories/GHSA-3g9q-cmgv-g4p6
RHSA-2023:0560		https://access.redhat.com/errata/RHSA-2023:0560
RHSA-2023:0777		https://access.redhat.com/errata/RHSA-2023:0777

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-45381.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/jenkinsci/pipeline-utility-steps-plugin

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/jenkinsci/pipeline-utility-steps-plugin/commit/01be8ac0045027128fc1e9cf3a8b0709d08291ea

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-45381

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-30T14:10:21Z/ Found at https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2949

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Found at http://www.openwall.com/lists/oss-security/2022/11/15/4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N Found at http://www.openwall.com/lists/oss-security/2022/11/15/4

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-04-30T14:10:21Z/ Found at http://www.openwall.com/lists/oss-security/2022/11/15/4

Exploit Prediction Scoring System (EPSS)

Percentile	0.50716
EPSS Score	0.00274
Published At	April 7, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T13:07:14.956984+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-3g9q-cmgv-g4p6/GHSA-3g9q-cmgv-g4p6.json	38.0.0