Main Vulnerability Database Vulnerabilities #VU60634

UNIX symbolic link following in Pipeline: Groovy - CVE-2022-25176

Published: February 16, 2022

Vulnerability identifier: #VU60634

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-25176

CWE-ID: CWE-61

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Jenkins

Affected software:
Pipeline: Groovy

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to the affected plugin follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines. A remote user can create a specially crafted symbolic link to a critical file on the system and gain access to sensitive information.

How to mitigate CVE-2022-25176

Install updates from vendor's website.

Sources

https://jenkins.io/security/advisory/2022-02-15/

UNIX symbolic link following in Pipeline: Groovy - CVE-2022-25176

Detailed vulnerability description

How to mitigate CVE-2022-25176

Sources

Please verify you're human