CVE-2022-25181 – org.jenkins-ci.plugins.workflow:workflow-cps-global-lib

Package

Manager: maven
Name: org.jenkins-ci.plugins.workflow:workflow-cps-global-lib
Vulnerable Version: >=0 <561.va_ce0de3c2d69

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00157 pctl0.37101

Details

Jenkins Pipeline: Deprecated Groovy Libraries Plugin Protection Mechanism Failure Jenkins Pipeline: Deprecated Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the same workspace directory for all checkouts of Pipeline libraries with the same name regardless of the SCM being used and the source of the library configuration. This allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM through crafted SCM contents, if a global Pipeline library already exists. Pipeline: Deprecated Groovy Libraries Plugin 561.va_ce0de3c2d69 uses distinct checkout directories per SCM for Pipeline libraries.

Metadata

Created: 2022-02-16T00:01:32Z
Modified: 2023-10-27T19:10:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-7w2w-fwpf-9m4h/GHSA-7w2w-fwpf-9m4h.json
CWE IDs: ["CWE-693"]
Alternative ID: GHSA-7w2w-fwpf-9m4h
Finding: F115
Auto approve: 1