CVE-2022-25176

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.

References

Affected packages

Git / github.com/jenkinsci/workflow-cps-plugin

Affected ranges

Type: GIT
Repo: https://github.com/jenkinsci/workflow-cps-plugin
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

a9433432b33c65f58d9e7b4dc4aa83249672eaf7

Affected versions

2633.*

2633.v6baeedc13805

2640.*

2640.v00e79c8113de

2644.*

2644.v29a793dac95a

2646.*

2646.v6ed3b5b01ff1

2648.*

2648.va9433432b33c

workflow-cps-2.*

workflow-cps-2.0

workflow-cps-2.1

workflow-cps-2.10

workflow-cps-2.11

workflow-cps-2.12

workflow-cps-2.13

workflow-cps-2.14

workflow-cps-2.15

workflow-cps-2.16

workflow-cps-2.17

workflow-cps-2.18

workflow-cps-2.19

workflow-cps-2.2

workflow-cps-2.20

workflow-cps-2.21

workflow-cps-2.22

workflow-cps-2.23

workflow-cps-2.24

workflow-cps-2.25

workflow-cps-2.26

workflow-cps-2.27

workflow-cps-2.28

workflow-cps-2.29

workflow-cps-2.3

workflow-cps-2.30

workflow-cps-2.31

workflow-cps-2.32

workflow-cps-2.33

workflow-cps-2.34

workflow-cps-2.35

workflow-cps-2.36

workflow-cps-2.37

workflow-cps-2.38

workflow-cps-2.39

workflow-cps-2.4

workflow-cps-2.40

workflow-cps-2.41

workflow-cps-2.42

workflow-cps-2.43

workflow-cps-2.44

workflow-cps-2.45

workflow-cps-2.46

workflow-cps-2.47

workflow-cps-2.48

workflow-cps-2.49

workflow-cps-2.5

workflow-cps-2.50

workflow-cps-2.51

workflow-cps-2.52

workflow-cps-2.53

workflow-cps-2.54

workflow-cps-2.55

workflow-cps-2.56

workflow-cps-2.57

workflow-cps-2.58

workflow-cps-2.58-beta-1

workflow-cps-2.59

workflow-cps-2.6

workflow-cps-2.60

workflow-cps-2.61

workflow-cps-2.62

workflow-cps-2.63

workflow-cps-2.64

workflow-cps-2.65

workflow-cps-2.66

workflow-cps-2.67

workflow-cps-2.68

workflow-cps-2.69

workflow-cps-2.7

workflow-cps-2.70

workflow-cps-2.71

workflow-cps-2.72

workflow-cps-2.73

workflow-cps-2.74

workflow-cps-2.75

workflow-cps-2.76

workflow-cps-2.77

workflow-cps-2.78

workflow-cps-2.79

workflow-cps-2.8

workflow-cps-2.80

workflow-cps-2.81

workflow-cps-2.82

workflow-cps-2.83

workflow-cps-2.84

workflow-cps-2.85

workflow-cps-2.86

workflow-cps-2.87

workflow-cps-2.88

workflow-cps-2.89

workflow-cps-2.9

workflow-cps-2.90

workflow-cps-2.91

workflow-cps-2.92

workflow-cps-2.93

workflow-cps-2.94

Database specific

source

"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-25176.json"