First published: Tue Feb 15 2022(Updated: )
A flaw was found in Jenkins. The Pipeline: Groovy Plugin uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines. This flaw allows attackers with item/configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
maven/org.jenkins-ci.plugins.workflow:workflow-cps | <2.92.1 | 2.92.1 |
maven/org.jenkins-ci.plugins.workflow:workflow-cps | >=2.93<2.94.1 | 2.94.1 |
maven/org.jenkins-ci.plugins.workflow:workflow-cps | >=2646.v6ed3b5b01ff1<2656.vf7a | 2656.vf7a |
Jenkins Pipeline\ | <=2648.va9433432b33c | |
redhat/jenkins | <2-plugins-0:3.11.1650371376-1.el7 | 2-plugins-0:3.11.1650371376-1.el7 |
redhat/jenkins | <2-plugins-0:4.10.1647505461-1.el8 | 2-plugins-0:4.10.1647505461-1.el8 |
redhat/jenkins | <2-plugins-0:4.6.1650364520-1.el8 | 2-plugins-0:4.6.1650364520-1.el8 |
redhat/jenkins | <2-plugins-0:4.7.1648800585-1.el8 | 2-plugins-0:4.7.1648800585-1.el8 |
redhat/jenkins | <2-plugins-0:4.8.1646993358-1.el8 | 2-plugins-0:4.8.1646993358-1.el8 |
redhat/jenkins | <2-plugins-0:4.9.1647580879-1.el8 | 2-plugins-0:4.9.1647580879-1.el8 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
CVE-2022-25173 is classified as a high severity vulnerability due to its potential to allow attackers to execute arbitrary OS commands.
To fix CVE-2022-25173, upgrade Jenkins to version 2.92.1 or later, or ensure you are using a patched version of the affected plugins.
CVE-2022-25173 affects Jenkins with the Pipeline: Groovy Plugin, particularly versions prior to 2.92.1.
An attacker needs item/configure permission to exploit CVE-2022-25173 and invoke arbitrary OS commands.
More information about CVE-2022-25173 can typically be found in security advisories or the official Jenkins security page.