CVE-2022-25177 — Improper Link Resolution Before File Access in Jenkins Pipeline: Shared Groovy L

Description

Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.

How to fix CVE-2022-25177

To remediate CVE-2022-25177, upgrade the affected package to a fixed version below.

—upgrade to 561.va_ce0de3c2d69 or later

Is CVE-2022-25177 being exploited?

Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.22, < 561.va_ce0de3c2d69

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25177
PATCHgithub.com/jenkinsci/workflow-cps-global-lib-plugin
WEBwww.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613