CVE-2022-30947

Name of the Vulnerable Software and Affected Versions Jenkins Git Plugin versions 4.11.1 and earlier

Description The issue allows attackers who can configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs. This enables them to obtain limited information about other projects' SCM contents. Historically, Jenkins only had agents checking out from SCM, and there was no expected isolation between builds besides using different workspaces unless overridden. Some Pipeline-related features check out SCMs from the Jenkins controller as well, which contributes to this issue.

Recommendations For Jenkins Git Plugin versions 4.11.1 and earlier, consider updating to a version later than 4.11.1 to resolve the issue. As a temporary workaround, restrict the configuration of pipelines to trusted users and limit the use of local paths as SCM URLs to minimize the risk of exploitation.