Arbitrary OS Command Invocation in Jenkins Pipeline due to Shared Groovy Libraries Plugin Vulnerability
CVE-2022-25174

8.8HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Pipeline: Shared Groovy Libraries Plugin
Vendor: CVE Published:; 15 February 2022

Summary

The Shared Groovy Libraries Plugin for Jenkins allows for potentially dangerous configurations due to its use of the same checkout directories for different Source Code Management (SCM) systems. This flaw enables users with sufficient permissions to execute arbitrary operating system commands on the Jenkins controller. Attackers can exploit this vulnerability by maliciously crafting SCM contents, thereby leading to unauthorized command execution and potential system compromise.

Affected Version(s)

Jenkins Pipeline: Shared Groovy Libraries Plugin <= 552.vd9cc05b8a2e1

Jenkins Pipeline: Shared Groovy Libraries Plugin 2.21.1

Jenkins Pipeline: Shared Groovy Libraries Plugin 2.18.1

References

https://www.jenkins.io/security/advisory/2022-02-15/#SECU...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 15, 2022
Vulnerability Reserved
Feb 15, 2022