AVID-2026-R1131

Description

Vulnerability CVE-2022-41237

Details

Jenkins DotCi Plugin 2.40.00 and earlier does not configure its YAML parser to prevent the instantiation of arbitrary types, resulting in a remote code execution vulnerability.

Reason for inclusion in AVID: CVE-2022-41237 describes a remote code execution vulnerability in the Jenkins DotCi Plugin due to unsafe YAML deserialization. While not AI-specific, Jenkins is a common CI/CD platform used in AI software pipelines for building, testing, and deploying AI models and workflows. This vulnerability affects a component in the software supply chain (CI/CD) that can impact AI system deployment and artifacts, posing a security risk in AI pipelines. There is explicit evidence (CVE entry and Jenkins advisory) supporting the vulnerability and its impact.

References

• NVD entry
• https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-1737

Affected or Relevant Artifacts

• Developer: Jenkins project
• Deployer: Jenkins project
• Artifact Details:

Impact

AVID Taxonomy Categorization

• Risk domains: Security
• SEP subcategories: S0100: Software Vulnerability
• Lifecycle stages: L06: Deployment

Other information

• Report Type: Advisory
• Credits:
• Date Reported: 2022-09-21
• Version: 0.3.3
• AVID Entry