CVE-2022-25183

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Shared Groovy Libraries Plugin versions 552.vd9cc05b8a2e1 and earlier

Description The issue allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially crafted library names if a global Pipeline library configured to use caching already exists. This is due to the names of Pipeline libraries being used to create cache directories without any sanitization.

Recommendations For Jenkins Pipeline: Shared Groovy Libraries Plugin versions 552.vd9cc05b8a2e1 and earlier, update to a version that sanitizes the names of Pipeline libraries when creating library cache directories, such as version 561.va ce0de3c2d69 or later. As a temporary workaround, consider restricting access to the cache directories or disabling the caching feature for global Pipeline libraries until a patch is applied.