Arbitrary OS Command Invocation in Jenkins Pipeline due to Shared Groovy Libraries Plugin Vulnerability
CVE-2022-25174

8.8HIGH

Key Information:

Vendor

Jenkins
Status
Jenkins Pipeline: Shared Groovy Libraries Plugin
Vendor
CVE Published:
15 February 2022

What is CVE-2022-25174?

The Shared Groovy Libraries Plugin for Jenkins allows for potentially dangerous configurations due to its use of the same checkout directories for different Source Code Management (SCM) systems. This flaw enables users with sufficient permissions to execute arbitrary operating system commands on the Jenkins controller. Attackers can exploit this vulnerability by maliciously crafting SCM contents, thereby leading to unauthorized command execution and potential system compromise.

Affected Version(s)

Jenkins Pipeline: Shared Groovy Libraries Plugin <= 552.vd9cc05b8a2e1

Jenkins Pipeline: Shared Groovy Libraries Plugin 2.21.1

Jenkins Pipeline: Shared Groovy Libraries Plugin 2.18.1

References

https://www.jenkins.io/security/advisory/2022-02-15/#SECU...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.