CVE-2022-25179 – org.jenkins-ci.plugins.workflow:workflow-multibranch

Package

Manager: maven
Name: org.jenkins-ci.plugins.workflow:workflow-multibranch
Vulnerable Version: >=2.24 <2.26.1 || >=0 <2.23.1 || >=696.v52535c46f4c9 <696.698.v9b4218eea50f || >=706.vd43c65dec013 <707.v71c3f0a

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.01385 pctl0.79588

Details

Link Following in Jenkins Pipeline Multibranch Plugin Jenkins Pipeline: Multibranch Plugin prior to 2.23.1, 2.26.1, 696.698.v9b4218eea50f, and 707.v71c3f0a_6ccdb_ follows symbolic links to locations outside of the checkout directory for the configured SCM when reading files using the readTrusted step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.

Metadata

Created: 2022-02-16T00:01:33Z
Modified: 2023-05-24T14:25:01Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-2m9w-9xh2-wxc3/GHSA-2m9w-9xh2-wxc3.json
CWE IDs: ["CWE-59"]
Alternative ID: GHSA-2m9w-9xh2-wxc3
Finding: F076
Auto approve: 1