CVE-2022-30948
First published: Tue May 17 2022(Updated: )
Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
Credit: jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <2-plugins-0:4.8.1672842762-1.el8 | 2-plugins-0:4.8.1672842762-1.el8 |
| redhat/Mercurial Plugin | <2.16.1 | 2.16.1 |
| Mercurial | <2.16.1 | |
| Jenkins | <=4.11.1 | |
| Mercurial | <=2.16 | |
| Jenkins Repository Connector | <=1.14.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2022/05/17/8
- https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478
- https://www.cve.org/CVERecord?id=CVE-2022-30948 https://nvd.nist.gov/vuln/detail/CVE-2022-30948 https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478
- https://bugzilla.redhat.com/show_bug.cgi?id=2119644
- https://access.redhat.com/errata/RHSA-2023:0017
- https://access.redhat.com/security/cve/cve-2022-30948
Frequently Asked Questions
What is the severity of CVE-2022-30948?
CVE-2022-30948 is considered a medium severity vulnerability due to the potential exposure of sensitive information.
How do I fix CVE-2022-30948?
To mitigate CVE-2022-30948, update the Jenkins Mercurial Plugin to version 2.17 or later.
What does CVE-2022-30948 affect?
CVE-2022-30948 affects Jenkins Mercurial Plugin versions 2.16 and earlier.
What vulnerability does CVE-2022-30948 exploit?
CVE-2022-30948 exploits the ability for attackers to configure pipelines to access restricted SCM repository paths on the Jenkins controller.
Can CVE-2022-30948 lead to unauthorized access?
Yes, CVE-2022-30948 can lead to unauthorized access to limited information about other projects' SCM contents through insecure configuration.
- collector/redhat-cve
- agent/first-publish-date
- agent/type
- agent/references
- agent/severity
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-30948
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/author
- collector/nvd-api
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/redhat
- vendor/jenkins
- canonical/mercurial
- canonical/jenkins
- version/jenkins/4.11.1
- version/mercurial/2.16
- canonical/jenkins repository connector
- version/jenkins repository connector/1.14.0