CVE-2022-25177
First published: Tue Feb 15 2022(Updated: )
A flaw was found in Jenkins. The Pipeline: Shared Groovy Libraries follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step. This flaw allows attackers who can configure Pipelines to read arbitrary files on the Jenkins controller file system.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <2-plugins-0:3.11.1650371376-1.el7 | 2-plugins-0:3.11.1650371376-1.el7 |
| redhat/jenkins | <2-plugins-0:4.10.1647505461-1.el8 | 2-plugins-0:4.10.1647505461-1.el8 |
| redhat/jenkins | <2-plugins-0:4.6.1650364520-1.el8 | 2-plugins-0:4.6.1650364520-1.el8 |
| redhat/jenkins | <2-plugins-0:4.7.1648800585-1.el8 | 2-plugins-0:4.7.1648800585-1.el8 |
| redhat/jenkins | <2-plugins-0:4.8.1646993358-1.el8 | 2-plugins-0:4.8.1646993358-1.el8 |
| redhat/jenkins | <2-plugins-0:4.9.1647580879-1.el8 | 2-plugins-0:4.9.1647580879-1.el8 |
| Jenkins Pipeline\ | <=552.vd9cc05b8a2e1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-25177
- https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613
- https://github.com/advisories/GHSA-q234-x887-9rxh (Advisory)
- https://www.jenkins.io/security/advisory/2022-02-15/
- https://access.redhat.com/errata/RHSA-2022:1025
- https://access.redhat.com/errata/RHSA-2022:1021
- https://access.redhat.com/security/cve/cve-2022-25177
- https://access.redhat.com/errata/RHSA-2022:1248
- https://access.redhat.com/errata/RHSA-2022:1420
- https://access.redhat.com/errata/RHSA-2022:1620
- https://bugzilla.redhat.com/show_bug.cgi?id=2055788
- https://www.cve.org/CVERecord?id=CVE-2022-25177 https://nvd.nist.gov/vuln/detail/CVE-2022-25177
- https://access.redhat.com/errata/RHSA-2022:0871
Parent vulnerabilities
(Appears in the following advisories)
- collector/github-advisory-latest
- alias/GHSA-q234-x887-9rxh
- alias/CVE-2022-25177
- collector/github-advisory
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-cve
- collector/nvd-api
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/softwarecombine
- agent/remedy
- agent/author
- agent/weakness
- agent/references
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- agent/trending
- package-manager/maven
- package-manager/redhat
- vendor/jenkins
- canonical/jenkins pipeline\
- version/jenkins pipeline\/552.vd9cc05b8a2e1