CVE-2022-25181
First published: Tue Feb 15 2022(Updated: )
A flaw was found in Jenkins. The Pipeline: Shared Groovy Libraries Plugin uses the same workspace directory for all checkouts of Pipeline libraries with the same name, regardless of the SCM used and the source of the library configuration. This flaw allows attackers with item/configure permission to execute arbitrary code in the context of the Jenkins controller, JVM, through crafted SCM contents if a global Pipeline library already exists.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <2-plugins-0:3.11.1650371376-1.el7 | 2-plugins-0:3.11.1650371376-1.el7 |
| redhat/jenkins | <2-plugins-0:4.10.1647505461-1.el8 | 2-plugins-0:4.10.1647505461-1.el8 |
| redhat/jenkins | <2-plugins-0:4.6.1650364520-1.el8 | 2-plugins-0:4.6.1650364520-1.el8 |
| redhat/jenkins | <2-plugins-0:4.7.1648800585-1.el8 | 2-plugins-0:4.7.1648800585-1.el8 |
| redhat/jenkins | <2-plugins-0:4.8.1646993358-1.el8 | 2-plugins-0:4.8.1646993358-1.el8 |
| redhat/jenkins | <2-plugins-0:4.9.1647580879-1.el8 | 2-plugins-0:4.9.1647580879-1.el8 |
| Jenkins Pipeline\ | <=552.vd9cc05b8a2e1 | |
| maven/org.jenkins-ci.plugins.workflow:workflow-cps-global-lib | <=552.vd9cc05b8a2e1 | 561.va_ce0de3c2d69 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-25181
- https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2441
- https://github.com/jenkinsci/workflow-cps-global-lib-plugin/commit/ace0de3c2d691662021ea10306eeb407da6b6365
- https://github.com/advisories/GHSA-7w2w-fwpf-9m4h (Advisory)
- https://www.jenkins.io/security/advisory/2022-02-15/
- https://access.redhat.com/errata/RHSA-2022:1025
- https://access.redhat.com/errata/RHSA-2022:1021
- https://access.redhat.com/security/cve/cve-2022-25181
- https://access.redhat.com/errata/RHSA-2022:1248
- https://access.redhat.com/errata/RHSA-2022:1420
- https://access.redhat.com/errata/RHSA-2022:1620
- https://bugzilla.redhat.com/show_bug.cgi?id=2055797
- https://www.cve.org/CVERecord?id=CVE-2022-25181 https://nvd.nist.gov/vuln/detail/CVE-2022-25181
- https://access.redhat.com/errata/RHSA-2022:0871
Parent vulnerabilities
(Appears in the following advisories)
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-7w2w-fwpf-9m4h
- alias/CVE-2022-25181
- collector/nvd-cve
- collector/github-advisory
- agent/type
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- agent/references
- agent/weakness
- agent/author
- agent/severity
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- agent/trending
- package-manager/redhat
- vendor/jenkins
- canonical/jenkins pipeline\
- version/jenkins pipeline\/552.vd9cc05b8a2e1
- package-manager/maven