Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS03dzJ3LWZ3cGYtOW00aM0sRg
Jenkins Pipeline: Deprecated Groovy Libraries Plugin Protection Mechanism Failure
Jenkins Pipeline: Deprecated Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the same workspace directory for all checkouts of Pipeline libraries with the same name regardless of the SCM being used and the source of the library configuration.
This allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM through crafted SCM contents, if a global Pipeline library already exists.
Pipeline: Deprecated Groovy Libraries Plugin 561.va_ce0de3c2d69 uses distinct checkout directories per SCM for Pipeline libraries.
Permalink: https://github.com/advisories/GHSA-7w2w-fwpf-9m4hJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03dzJ3LWZ3cGYtOW00aM0sRg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 2 years ago
Updated: 4 months ago
CVSS Score: 8.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-7w2w-fwpf-9m4h, CVE-2022-25181
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-25181
- https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2441
- https://github.com/jenkinsci/workflow-cps-global-lib-plugin/commit/ace0de3c2d691662021ea10306eeb407da6b6365
- https://github.com/advisories/GHSA-7w2w-fwpf-9m4h
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins.workflow:workflow-cps-global-lib
Affected Version Ranges: <= 552.vd9cc05b8a2e1Fixed in: 561.va_ce0de3c2d69