logo

Database

Security controls bypass or absence In org.jenkins-ci.plugins.workflow:workflow-cps-global-lib

Description

Jenkins Pipeline: Deprecated Groovy Libraries Plugin Protection Mechanism Failure Jenkins Pipeline: Deprecated Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the names of Pipeline libraries to create cache directories without any sanitization.

This allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially crafted library names if a global Pipeline library configured to use caching already exists.

Pipeline: Deprecated Groovy Libraries Plugin 561.va_ce0de3c2d69 sanitizes the names of Pipeline libraries when creating library cache directories.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2022-251832. NVD-2022-251833. OSV-2022-251834. GCVE-2022-25183

References

1. https://github.com/jenkinsci/workflow-cps-global-lib-plugin/commit/ace0de3c2d691662021ea10306eeb407da6b63652. https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2586

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.