CVE-2022-25178: Path Traversal
First published: Tue Feb 15 2022(Updated: )
A flaw was found in Jenkins. The Pipeline: Shared Groovy Libraries does not restrict the names of resources passed to the libraryResource step. This flaw allows attackers who can configure Pipelines to read arbitrary files on the Jenkins controller file system.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.jenkins-ci.plugins.workflow:workflow-cps-global-lib | <2.18.1 | 2.18.1 |
| maven/org.jenkins-ci.plugins.workflow:workflow-cps-global-lib | >=2.19<2.21.1 | 2.21.1 |
| maven/org.jenkins-ci.plugins.workflow:workflow-cps-global-lib | >=2.22<=552.vd9cc05b8a2e1 | 561.va_ce0de3c2d69 |
| redhat/jenkins | <2-plugins-0:3.11.1650371376-1.el7 | 2-plugins-0:3.11.1650371376-1.el7 |
| redhat/jenkins | <2-plugins-0:4.10.1647505461-1.el8 | 2-plugins-0:4.10.1647505461-1.el8 |
| redhat/jenkins | <2-plugins-0:4.6.1650364520-1.el8 | 2-plugins-0:4.6.1650364520-1.el8 |
| redhat/jenkins | <2-plugins-0:4.7.1648800585-1.el8 | 2-plugins-0:4.7.1648800585-1.el8 |
| redhat/jenkins | <2-plugins-0:4.8.1646993358-1.el8 | 2-plugins-0:4.8.1646993358-1.el8 |
| redhat/jenkins | <2-plugins-0:4.9.1647580879-1.el8 | 2-plugins-0:4.9.1647580879-1.el8 |
| Jenkins Pipeline\ | <=552.vd9cc05b8a2e1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-25178
- https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613
- https://github.com/advisories/GHSA-5hfv-mg5x-mv32 (Advisory)
- https://www.jenkins.io/security/advisory/2022-02-15/
- https://access.redhat.com/errata/RHSA-2022:1025
- https://access.redhat.com/errata/RHSA-2022:1021
- https://access.redhat.com/security/cve/cve-2022-25178
- https://access.redhat.com/errata/RHSA-2022:1248
- https://access.redhat.com/errata/RHSA-2022:1420
- https://access.redhat.com/errata/RHSA-2022:1620
- https://bugzilla.redhat.com/show_bug.cgi?id=2055789
- https://www.cve.org/CVERecord?id=CVE-2022-25178 https://nvd.nist.gov/vuln/detail/CVE-2022-25178
- https://access.redhat.com/errata/RHSA-2022:0871
Parent vulnerabilities
(Appears in the following advisories)
- collector/github-advisory-latest
- alias/GHSA-5hfv-mg5x-mv32
- alias/CVE-2022-25178
- collector/github-advisory
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-cve
- collector/nvd-api
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/references
- agent/remedy
- agent/severity
- agent/weakness
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- agent/trending
- package-manager/maven
- package-manager/redhat
- vendor/jenkins
- canonical/jenkins pipeline\
- version/jenkins pipeline\/552.vd9cc05b8a2e1