Jenkins Pipeline Groovy Plugin Vulnerability in SCM Handling
CVE-2022-25173

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Pipeline: Groovy Plugin
Vendor: CVE Published:; 15 February 2022

What is CVE-2022-25173?

The Jenkins Pipeline Groovy Plugin has a vulnerability that arises from its use of identical checkout directories for different Source Code Management (SCM) systems. This flaw enables users who possess Item/Configure permissions to exploit the system by injecting malicious scripts into the SCM contents. Such an attack can result in the execution of arbitrary OS commands on the Jenkins controller, posing a significant security risk.

Affected Version(s)

Jenkins Pipeline: Groovy Plugin <= 2648.va9433432b33c

Jenkins Pipeline: Groovy Plugin 2.94.1

Jenkins Pipeline: Groovy Plugin 2.92.1

References

https://www.jenkins.io/security/advisory/2022-02-15/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/02/15/2

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 15, 2022
Vulnerability Reserved
Feb 15, 2022