GHSA-6473-gqrj-4p65

Suggest an improvement
Source
https://github.com/advisories/GHSA-6473-gqrj-4p65
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-6473-gqrj-4p65/GHSA-6473-gqrj-4p65.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-6473-gqrj-4p65
Aliases
  • CVE-2022-25176
Published
2022-02-16T00:01:34Z
Modified
2023-11-01T04:58:14.317040Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Improper Link Resolution Before File Access in Jenkins Pipeline: Groovy Plugin
Details

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.

Database specific
{
    "nvd_published_at": "2022-02-15T17:15:00Z",
    "cwe_ids": [
        "CWE-59"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-20T22:46:35Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins.workflow:workflow-cps

Package

Name
org.jenkins-ci.plugins.workflow:workflow-cps
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.93
Fixed
2.94.1

Affected versions

2.*

2.93
2.94

Maven / org.jenkins-ci.plugins.workflow:workflow-cps

Package

Name
org.jenkins-ci.plugins.workflow:workflow-cps
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.92.1

Affected versions

0.*

0.1-beta-1
0.1-beta-2
0.1-beta-3
0.1-beta-4
0.1-beta-5
0.1-beta-6
0.1-beta-7
0.1-beta-8

1.*

1.0-beta-1
1.0
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.4.3-beta-1
1.4.3
1.5
1.6-alpha-1
1.6
1.7-alpha-1
1.7
1.8
1.9-beta-1
1.9
1.10-beta-1
1.10
1.10.1
1.11-beta-1
1.11-beta-2
1.11-beta-3
1.11-beta-4
1.11
1.12-beta-1
1.12-beta-2
1.12-beta-3
1.12
1.13
1.14-beta-1
1.14
1.14.1-beta-1
1.14.1
1.14.2
1.15-beta-1
1.15

2.*

2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.12
2.13
2.14
2.15
2.16
2.17
2.18
2.19
2.20
2.21
2.22
2.23
2.24
2.25
2.26
2.27
2.28
2.29
2.30
2.30-stepstorage2-alpha
2.30-stepstorage2-alpha2
2.30-stepstorage4-beta
2.31
2.32
2.33
2.34
2.35
2.36
2.36.1
2.37
2.38
2.39
2.40
2.41
2.42
2.43
2.43-durability-beta-1
2.43-durability-beta-2
2.43-durability-beta-3
2.43-durability-beta-4
2.44
2.45
2.46
2.46.1
2.46.2
2.47
2.48
2.49
2.50
2.51
2.52
2.53
2.54
2.54.1
2.54.2
2.55
2.56
2.57
2.57.1
2.57.2
2.57.3
2.58-beta-1
2.58
2.59
2.60
2.61
2.61.1
2.61.2
2.61.3
2.62
2.63
2.64
2.65
2.66
2.66.1
2.67
2.68
2.69
2.70
2.71
2.72
2.73
2.74
2.74.1
2.75
2.76
2.77
2.78
2.79
2.80
2.81
2.82
2.83
2.84
2.85
2.86
2.87
2.88
2.89
2.90
2.91
2.92

Maven / org.jenkins-ci.plugins.workflow:workflow-cps

Package

Name
org.jenkins-ci.plugins.workflow:workflow-cps
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.95
Fixed
2648.2651.v230593e03e9f

Affected versions

2633.*

2633.v6baeedc13805

2640.*

2640.v00e79c8113de

2644.*

2644.v29a793dac95a

2646.*

2646.v6ed3b5b01ff1

2648.*

2648.va9433432b33c