GHSA-7w2w-fwpf-9m4h

Suggest an improvement
Source
https://github.com/advisories/GHSA-7w2w-fwpf-9m4h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-7w2w-fwpf-9m4h/GHSA-7w2w-fwpf-9m4h.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-7w2w-fwpf-9m4h
Aliases
  • CVE-2022-25181
Published
2022-02-16T00:01:32Z
Modified
2024-01-02T05:48:07.060020Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Jenkins Pipeline: Deprecated Groovy Libraries Plugin Protection Mechanism Failure
Details

Jenkins Pipeline: Deprecated Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the same workspace directory for all checkouts of Pipeline libraries with the same name regardless of the SCM being used and the source of the library configuration.

This allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM through crafted SCM contents, if a global Pipeline library already exists.

Pipeline: Deprecated Groovy Libraries Plugin 561.va_ce0de3c2d69 uses distinct checkout directories per SCM for Pipeline libraries.

Database specific
{
    "nvd_published_at": "2022-02-15T17:15:00Z",
    "cwe_ids": [
        "CWE-693"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-20T22:39:16Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins.workflow:workflow-cps-global-lib

Package

Name
org.jenkins-ci.plugins.workflow:workflow-cps-global-lib
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-global-lib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
561.va_ce0de3c2d69

Affected versions

0.*

0.1-beta-5
0.1-beta-6
0.1-beta-7
0.1-beta-8

1.*

1.0-beta-1
1.0
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.4.3-beta-1
1.4.3
1.5
1.6-alpha-1
1.6
1.7-alpha-1
1.7
1.8
1.9-beta-1
1.9
1.10-beta-1
1.10
1.10.1
1.11-beta-1
1.11-beta-2
1.11-beta-3
1.11-beta-4
1.11
1.12-beta-1
1.12-beta-2
1.12-beta-3
1.12
1.13
1.14-beta-1
1.14
1.14.1-beta-1
1.14.1
1.14.2
1.15-beta-1
1.15

2.*

2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.12
2.12.1
2.13
2.13.1
2.14
2.15
2.16
2.17
2.18
2.18.1
2.19
2.20
2.21
2.21.1
2.21.3

544.*

544.vff04fa68714d

545.*

545.v7b28cce323cf

548.*

548.v9085a486966a

552.*

552.vd9cc05b8a2e1
552.554.vdba55efb9e88

Database specific

{
    "last_known_affected_version_range": "<= 552.vd9cc05b8a2e1"
}