CVE-2022-25173

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Groovy Plugin versions 2648.va9433432b33c and earlier Jenkins Pipeline: Groovy Plugin prior to 2656.vf7a e7b 75a 457 Jenkins Pipeline: Groovy Plugin version 2.94.1 Jenkins Pipeline: Groovy Plugin version 2.92.1

Description The issue allows attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents. This is possible because the plugin uses the same checkout directories for distinct SCMs when reading the script file, typically Jenkinsfile, for Pipelines.

Recommendations For Jenkins Pipeline: Groovy Plugin versions 2648.va9433432b33c and earlier, update to a version later than 2656.vf7a e7b 75a 457. For Jenkins Pipeline: Groovy Plugin prior to 2656.vf7a e7b 75a 457, update to version 2656.vf7a e7b 75a 457 or later. For Jenkins Pipeline: Groovy Plugin version 2.94.1, update to a version later than 2.94.1. For Jenkins Pipeline: Groovy Plugin version 2.92.1, update to a version later than 2.92.1. As a temporary workaround, consider restricting access to the Jenkinsfile and limiting the permissions of users with Item/Configure permission to minimize the risk of exploitation.