{"id":"CVE-2022-34177","details":"Jenkins Pipeline: Input Step Plugin 448.v37cea_9a_10a_70 and earlier archives files uploaded for `file` parameters for Pipeline `input` steps on the controller as part of build metadata, using the parameter name without sanitization as a relative path inside a build-related directory, allowing attackers able to configure Pipelines to create or replace arbitrary files on the Jenkins controller file system with attacker-specified content.","aliases":["GHSA-29q6-p2cg-4v23"],"modified":"2026-03-13T05:51:13.280459Z","published":"2022-06-23T17:15:15.680Z","references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2705"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/pipeline-input-step-plugin","events":[{"introduced":"0"},{"last_affected":"37cea9a10a7031d140b783e8fa80e7c1430949ff"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"448.v37cea_9a_10a_70"}]}}],"versions":["427.va6441fa17010","446.vf27b_0b_83500e","447.v95e5a_6e3502a_","448.v37cea_9a_10a_70","pipeline-input-step-2.0","pipeline-input-step-2.1","pipeline-input-step-2.10","pipeline-input-step-2.11","pipeline-input-step-2.12","pipeline-input-step-2.2","pipeline-input-step-2.3","pipeline-input-step-2.4","pipeline-input-step-2.5","pipeline-input-step-2.6","pipeline-input-step-2.7","pipeline-input-step-2.8","pipeline-input-step-2.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-34177.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}