CVE-2022-30948

Name of the Vulnerable Software and Affected Versions Jenkins Mercurial Plugin versions 2.16 and earlier

Description The issue allows attackers who can configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs. This enables them to obtain limited information about other projects' SCM contents. Historically, in Jenkins, only agents checked out from SCM, and if multiple projects share the same agent, there is no expected isolation between builds besides using different workspaces unless overridden. Some Pipeline-related features check out SCMs from the Jenkins controller as well.

Recommendations For Jenkins Mercurial Plugin versions 2.16 and earlier, consider restricting access to the Jenkins controller's file system to minimize the risk of exploitation. As a temporary workaround, limit the ability to configure pipelines to check out SCM repositories using local paths as SCM URLs until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.