Jenkins Pipeline Groovy Plugin Vulnerability in SCM Handling
CVE-2022-25173

8.8HIGH

Key Information:

Vendor
Jenkins
Vendor
CVE Published:
15 February 2022

Summary

The Jenkins Pipeline Groovy Plugin has a vulnerability that arises from its use of identical checkout directories for different Source Code Management (SCM) systems. This flaw enables users who possess Item/Configure permissions to exploit the system by injecting malicious scripts into the SCM contents. Such an attack can result in the execution of arbitrary OS commands on the Jenkins controller, posing a significant security risk.

Affected Version(s)

Jenkins Pipeline: Groovy Plugin <= 2648.va9433432b33c

Jenkins Pipeline: Groovy Plugin 2.94.1

Jenkins Pipeline: Groovy Plugin 2.92.1

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.