{
  "threat_severity" : "Moderate",
  "public_date" : "2023-05-16T00:00:00Z",
  "bugzilla" : {
    "description" : "jenkins-2-plugin: pipeline-utility-steps: Arbitrary file write vulnerability on agents in Pipeline Utility Steps Plugin",
    "id" : "2207835",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2207835"
  },
  "cvss3" : {
    "cvss3_base_score" : "6.3",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
    "status" : "verified"
  },
  "details" : [ "An arbitrary file write vulnerability in Jenkins Pipeline Utility Steps Plugin 2.15.2 and earlier allows attackers able to provide crafted archives as parameters to create or replace arbitrary files on the agent file system with attacker-specified content.", "A flaw was found in the Jenkins Pipeline Utility Steps Plugin. This flaw allows a remote, authenticated attacker to traverse directories on the system, caused by improper archive file validation. The attacker can use a specially crafted archive file containing \"dot dot\" sequences (/../) to create or replace arbitrary files on the agent file system with attacker-specified content." ],
  "statement" : "OpenShift 3.11 is in ELS. Jenkins and its related technologies will not be supported under ELS. Hence, OpenShift 3.11 is marked as affected/won'tfix.",
  "affected_release" : [ {
    "product_name" : "OCP-Tools-4.12-RHEL-8",
    "release_date" : "2023-06-15T00:00:00Z",
    "advisory" : "RHSA-2023:3610",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.12::el8",
    "package" : "jenkins-2-plugins-0:4.12.1686649756-1.el8"
  }, {
    "product_name" : "OpenShift Developer Tools and Services for OCP 4.11",
    "release_date" : "2023-06-19T00:00:00Z",
    "advisory" : "RHSA-2023:3663",
    "cpe" : "cpe:/a:redhat:ocp_tools:4.11::el8",
    "package" : "jenkins-2-plugins-0:4.11.1686831822-1.el8"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4.10",
    "release_date" : "2023-06-23T00:00:00Z",
    "advisory" : "RHSA-2023:3625",
    "cpe" : "cpe:/a:redhat:openshift:4.10::el8",
    "package" : "jenkins-2-plugins-0:4.10.1685679861-1.el8"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat OpenShift Container Platform 3.11",
    "fix_state" : "Will not fix",
    "package_name" : "jenkins-2-plugins",
    "cpe" : "cpe:/a:redhat:openshift:3.11"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2023-32981\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-32981\nhttps://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2196" ],
  "name" : "CVE-2023-32981",
  "csaw" : false
}