CVE-2022-25179

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Multibranch Plugin versions 706.vd43c65dec013 and earlier Jenkins Pipeline: Multibranch Plugin prior to 2.23.1, 2.26.1, 696.698.v9b4218eea50f, and 707.v71c3f0a 6ccdb

Description The issue allows attackers with permission to configure Pipelines to read arbitrary files on the Jenkins controller file system. This is possible because the Jenkins Pipeline: Multibranch Plugin follows symbolic links to locations outside of the checkout directory for the configured SCM when reading files using the readTrusted step.

Recommendations For Jenkins Pipeline: Multibranch Plugin versions 706.vd43c65dec013 and earlier, update to a version later than 706.vd43c65dec013. For Jenkins Pipeline: Multibranch Plugin prior to 2.23.1, update to version 2.23.1 or later. For Jenkins Pipeline: Multibranch Plugin prior to 2.26.1, update to version 2.26.1 or later. For Jenkins Pipeline: Multibranch Plugin prior to 696.698.v9b4218eea50f, update to version 696.698.v9b4218eea50f or later. For Jenkins Pipeline: Multibranch Plugin prior to 707.v71c3f0a 6ccdb , update to version 707.v71c3f0a 6ccdb or later. As a temporary workaround, consider restricting access to the readTrusted step until a patch is available.