CVE-2022-25177

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Shared Groovy Libraries Plugin versions 552.vd9cc05b8a2e1 and earlier

Description The issue allows attackers who can configure Pipelines to read arbitrary files on the Jenkins controller file system. This is because the plugin follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step.

Recommendations For versions 552.vd9cc05b8a2e1 and earlier, consider restricting access to the libraryResource step until a patch is available. As a temporary workaround, avoid using the libraryResource step to read files from untrusted sources.

Fix

Link Following

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-59

Related Identifiers

CVE-2022-25177

GHSA-Q234-X887-9RXH

RHSA-2022:0871

RHSA-2022:1021

RHSA-2022:1025

RHSA-2022:1248

RHSA-2022:1420

RHSA-2022:1620

Affected Products

Jenkins

Jenkins Pipeline: Shared Groovy Libraries Plugin

CVE-2022-25177

Weakness Enumeration

Related Identifiers

Affected Products

References · 7