CVE-2022-25176

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Groovy Plugin versions 2648.va9433432b33c and earlier

Description The issue allows attackers who can configure Pipelines to read arbitrary files on the Jenkins controller file system. This is because the plugin follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file, typically Jenkinsfile, for Pipelines.

Recommendations For versions 2648.va9433432b33c and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of exploitation. As a temporary workaround, limit the ability to configure Pipelines to trusted users only until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.