Main Vulnerability Database Vulnerabilities #VU60637

#VU60637 UNIX symbolic link following in Pipeline: Shared Groovy Libraries - CVE-2022-25177

Published: February 16, 2022

Vulnerability identifier: #VU60637

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-25177

CWE-ID: CWE-61

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Pipeline: Shared Groovy Libraries

Software vendor:
Jenkins

Description

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to the affected plugin follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step. A remote user can create a specially crafted symbolic link to a critical file on the system and read arbitrary files on the Jenkins controller file system.

Remediation

Install updates from vendor's website.

External links

https://jenkins.io/security/advisory/2022-02-15/

#VU60637 UNIX symbolic link following in Pipeline: Shared Groovy Libraries - CVE-2022-25177

Description

Remediation

External links

Please verify you're human