Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02NDczLWdxcmotNHA2Nc0sSQ
Improper Link Resolution Before File Access in Jenkins Pipeline: Groovy Plugin
Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.
Permalink: https://github.com/advisories/GHSA-6473-gqrj-4p65JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02NDczLWdxcmotNHA2Nc0sSQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 11 months ago
CVSS Score: 6.5
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-6473-gqrj-4p65, CVE-2022-25176
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25176
- https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613
- https://github.com/advisories/GHSA-6473-gqrj-4p65
Affected Packages
maven:org.jenkins-ci.plugins.workflow:workflow-cps
Affected Version Ranges: >= 2.95, < 2648.2651.v230593e03e9f, < 2.92.1, >= 2.93, < 2.94.1Fixed in: 2648.2651.v230593e03e9f, 2.92.1, 2.94.1