CVE-2022-25178

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Shared Groovy Libraries Plugin versions 552.vd9cc05b8a2e1 and earlier

Description The issue allows attackers with permission to configure Pipelines to read arbitrary files on the Jenkins controller file system. This is due to the lack of restriction on the names of resources passed to the libraryResource step.

Recommendations For versions 552.vd9cc05b8a2e1 and earlier, consider restricting access to the libraryResource step until a patch is available. As a temporary workaround, limit the configuration of Pipelines to trusted users to minimize the risk of exploitation.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

CVE-2022-25178

GHSA-5HFV-MG5X-MV32

RHSA-2022:0871

RHSA-2022:1021

RHSA-2022:1025

RHSA-2022:1248

RHSA-2022:1420

RHSA-2022:1620

Affected Products

Jenkins

Jenkins Pipeline: Shared Groovy Libraries Plugin

CVE-2022-25178

Weakness Enumeration

Related Identifiers

Affected Products

References · 9