CVE-2022-30949: Path Traversal
First published: Tue May 17 2022(Updated: )
Jenkins REPO Plugin 1.14.0 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.jenkins-ci.plugins:git | <4.11.2 | 4.11.2 |
| maven/org.jenkins-ci.plugins:mercurial | <2.16.1 | 2.16.1 |
| maven/org.jenkins-ci.plugins:repo | <1.14.1 | 1.14.1 |
| Jenkins Repository Connector | <1.15.0 | |
| Jenkins | <=4.11.1 | |
| Mercurial | <=2.16 | |
| Jenkins Repository Connector | <=1.14.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2022/05/17/8
- https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478
- https://nvd.nist.gov/vuln/detail/CVE-2022-30949
- https://github.com/jenkinsci/repo-plugin/commit/8c9cbb88baffc64d1b63183235eb86c773108235
- https://github.com/jenkinsci/git-plugin/commit/b295606e0b865c298fde27bea14f9b7535a976e6
- https://github.com/jenkinsci/mercurial-plugin/commit/55904fbb8c9d3e0b36fc26330374904cb68e8758
- https://github.com/advisories/GHSA-8vfc-fcr2-47pj (Advisory)
Frequently Asked Questions
What is the severity of CVE-2022-30949?
CVE-2022-30949 is classified as a medium severity vulnerability.
How do I fix CVE-2022-30949?
To fix CVE-2022-30949, update the Jenkins Repo Plugin to version 1.14.1 or later.
Which versions of Jenkins are affected by CVE-2022-30949?
CVE-2022-30949 affects Jenkins Repo Plugin versions 1.14.0 and earlier.
What type of vulnerability is CVE-2022-30949?
CVE-2022-30949 is a local path traversal vulnerability in the Jenkins Repo Plugin.
Who is impacted by CVE-2022-30949?
Attackers who can configure pipelines in Jenkins can exploit CVE-2022-30949 to access limited SCM information.
- collector/github-advisory-latest
- alias/GHSA-8vfc-fcr2-47pj
- alias/CVE-2022-30949
- collector/github-advisory
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/last-modified-date
- agent/event
- agent/description
- agent/first-publish-date
- agent/trending
- agent/source
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-api
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- package-manager/maven
- vendor/jenkins
- canonical/jenkins repository connector
- canonical/jenkins
- version/jenkins/4.11.1
- canonical/mercurial
- version/mercurial/2.16
- version/jenkins repository connector/1.14.0