Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

CVE-2022-25181

UNKNOWN
Published 2022-02-15T16:11:03
Actions:

Expert Analysis

Professional remediation guidance

Get tailored security recommendations from our analyst team for CVE-2022-25181. We'll provide specific mitigation strategies based on your environment and risk profile.

No CVSS data available

Description

A sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM through crafted SCM contents, if a global Pipeline library already exists.

Available Exploits

No exploits available for this CVE.

Related News

No news articles found for this CVE.

Affected Products

Jenkins project

Jenkins Pipeline: Shared Groovy Libraries Plugin

Affected Versions:

unspecified 2.21.1 2.18.1

GitHub Security Advisories

Community-driven vulnerability intelligence from GitHub

✓ GitHub Reviewed HIGH

Jenkins Pipeline: Deprecated Groovy Libraries Plugin Protection Mechanism Failure

GHSA-7w2w-fwpf-9m4h

Advisory Details

Jenkins Pipeline: Deprecated Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the same workspace directory for all checkouts of Pipeline libraries with the same name regardless of the SCM being used and the source of the library configuration. This allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM through crafted SCM contents, if a global Pipeline library already exists. Pipeline: Deprecated Groovy Libraries Plugin 561.va_ce0de3c2d69 uses distinct checkout directories per SCM for Pipeline libraries.

Affected Packages

Maven org.jenkins-ci.plugins.workflow:workflow-cps-global-lib
ECOSYSTEM: ≥0 <561.va_ce0de3c2d69

CVSS Scoring

CVSS Score

7.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2022-25181
WEB https://github.com/jenkinsci/workflow-cps-global-lib-plugin/commit/ace0de3c2d691662021ea10306eeb407da6b6365
WEB https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2441

Advisory provided by GitHub Security Advisory Database. Published: February 16, 2022, Modified: October 27, 2023

References

https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2441
Published: 2022-02-15T16:11:03
Last Modified: 2024-08-03T04:36:05.788Z
Copied to clipboard!