CVE-2022-25174

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Shared Groovy Libraries Plugin versions 552.vd9cc05b8a2e1 and earlier Jenkins Pipeline: Shared Groovy Libraries Plugin version 2.18.1 Jenkins Pipeline: Shared Groovy Libraries Plugin version 2.21.1

Description The issue allows attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents. This is possible because the plugin uses the same checkout directories for distinct SCMs for Pipeline libraries.

Recommendations For versions 552.vd9cc05b8a2e1 and earlier, update to a version later than 552.vd9cc05b8a2e1. For version 2.18.1, update to a version later than 2.18.1. For version 2.21.1, update to a version later than 2.21.1. As a temporary workaround, consider restricting access to the plugin's library checkout directories to minimize the risk of exploitation.