Jenkins Pipeline Groovy Plugin Vulnerability in SCM Handling
CVE-2022-25173
8.8HIGH
Key Information:
- Vendor
- Jenkins
- Vendor
- CVE Published:
- 15 February 2022
Summary
The Jenkins Pipeline Groovy Plugin has a vulnerability that arises from its use of identical checkout directories for different Source Code Management (SCM) systems. This flaw enables users who possess Item/Configure permissions to exploit the system by injecting malicious scripts into the SCM contents. Such an attack can result in the execution of arbitrary OS commands on the Jenkins controller, posing a significant security risk.
Affected Version(s)
Jenkins Pipeline: Groovy Plugin <= 2648.va9433432b33c
Jenkins Pipeline: Groovy Plugin 2.94.1
Jenkins Pipeline: Groovy Plugin 2.92.1
References
CVSS V3.1
Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved