CVE-2022-30947: Path Traversal
First published: Tue May 17 2022(Updated: )
Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Git | <=4.11.1 | |
| Jenkins Mercurial | <=2.16 | |
| Jenkins Repo | <=1.14.0 | |
| maven/org.jenkins-ci.plugins:repo | <=1.14.0 | 1.15.0 |
| maven/org.jenkins-ci.plugins:mercurial | <=2.16 | 2.16.1 |
| maven/org.jenkins-ci.plugins:git | <=4.11.1 | 4.11.2 |
| Jenkins Git | <4.11.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-30947
- https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478
- http://www.openwall.com/lists/oss-security/2022/05/17/8
- https://github.com/jenkinsci/git-plugin/commit/b295606e0b865c298fde27bea14f9b7535a976e6
- https://github.com/jenkinsci/mercurial-plugin/commit/55904fbb8c9d3e0b36fc26330374904cb68e8758
- https://github.com/jenkinsci/repo-plugin/commit/3c8e6236b1088fc138a1a3e6af5ebbcb8b616f2f
- https://github.com/advisories/GHSA-84cm-vjwm-m979 (Advisory)
Frequently Asked Questions
What is the severity of CVE-2022-30947?
CVE-2022-30947 has a medium severity rating, indicating potential risks to the information contained in the Jenkins environment.
How do I fix CVE-2022-30947?
To fix CVE-2022-30947, upgrade the Jenkins Git Plugin to version 4.11.2 or later, the Mercurial Plugin to version 2.16.1, and the Repo Plugin to version 1.15.0.
What versions are affected by CVE-2022-30947?
CVE-2022-30947 affects Jenkins Git Plugin versions 4.11.1 and earlier, Mercurial Plugin versions 2.16 and earlier, and Repo Plugin versions 1.14.0 and earlier.
What is the impact of CVE-2022-30947?
The impact of CVE-2022-30947 allows attackers to access limited information about other projects' source code management contents if they can configure pipelines.
Who is at risk with CVE-2022-30947?
Organizations using Jenkins with the affected plugin versions for Git, Mercurial, or Repo are at risk for data exposure through this vulnerability.
- collector/nvd-index
- collector/nvd-cve
- collector/github-advisory-latest
- alias/GHSA-84cm-vjwm-m979
- alias/CVE-2022-30947
- collector/github-advisory
- agent/type
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/author
- agent/references
- agent/weakness
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/description
- agent/first-publish-date
- agent/trending
- agent/tags
- agent/source
- vendor/jenkins
- canonical/jenkins git
- version/jenkins git/4.11.1
- canonical/jenkins mercurial
- version/jenkins mercurial/2.16
- canonical/jenkins repo
- version/jenkins repo/1.14.0
- package-manager/maven