CVE-2022-45381 in Pipeline Utility Steps Plugin
Summary
by MITRE • 11/15/2022
Jenkins Pipeline Utility Steps Plugin 2.13.1 and earlier does not restrict the set of enabled prefix interpolators and bundles versions of Apache Commons Configuration library that enable the 'file:' prefix interpolator by default, allowing attackers able to configure Pipelines to read arbitrary files from the Jenkins controller file system.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 04/30/2025
The vulnerability identified as CVE-2022-45381 affects the Jenkins Pipeline Utility Steps Plugin version 2.13.1 and earlier, representing a critical security flaw that enables unauthorized file system access on Jenkins controllers. This issue stems from the plugin's improper handling of prefix interpolators within the Apache Commons Configuration library, which is bundled with the affected versions. The flaw allows attackers who can configure Jenkins pipelines to exploit the default configuration that enables the 'file:' prefix interpolator, creating a path for arbitrary file reads from the controller's file system.
The technical implementation of this vulnerability leverages the Apache Commons Configuration library's interpolation capabilities, specifically the prefix interpolator mechanism that allows variable substitution in configuration files. When the Pipeline Utility Steps plugin processes pipeline configurations, it fails to properly restrict which prefix interpolators are enabled, allowing the 'file:' prefix to function by default. This means that attackers can craft pipeline scripts that utilize the file: prefix to access files on the Jenkins controller's file system, potentially leading to sensitive data exposure, credential theft, or further system compromise. The vulnerability is particularly dangerous because it can be exploited through pipeline configuration changes, which are often granted to developers or other users within organizations.
From an operational impact perspective, this vulnerability represents a severe privilege escalation risk that can compromise the entire Jenkins infrastructure. Attackers can potentially access sensitive files such as credentials stored in configuration files, build artifacts containing proprietary information, or system files that could reveal system architecture details. The vulnerability is especially concerning in environments where multiple users have pipeline configuration privileges, as it eliminates the need for additional attack vectors to gain file system access. The default enabling of the file: prefix interpolator creates a persistent security risk that remains active until the plugin is updated to a patched version, making it a target for both internal and external attackers seeking to exploit Jenkins environments.
Security mitigations for CVE-2022-45381 should prioritize immediate plugin version updates to 2.14.0 or later, which contain the necessary fixes to restrict enabled prefix interpolators. Organizations should also implement strict access controls and privilege management for pipeline configuration, ensuring that only trusted administrators can modify pipeline settings. The remediation aligns with CWE-20: Improper Input Validation and follows ATT&CK techniques related to privilege escalation and credential access. Additional defensive measures include monitoring pipeline configuration changes, implementing network segmentation to limit controller access, and conducting regular security assessments of Jenkins plugins to identify similar vulnerabilities. Organizations should also consider implementing Jenkins security configurations that disable unnecessary interpolation features and establish automated patch management processes to prevent similar issues from arising in the future. The vulnerability demonstrates the importance of proper library dependency management and the need for security reviews of third-party components in continuous integration environments.