Main Vulnerability Database Vulnerabilities #VU60638

UNIX symbolic link following in Pipeline: Shared Groovy Libraries - CVE-2022-25178

Published: February 16, 2022

Vulnerability identifier: #VU60638

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-25178

CWE-ID: CWE-61

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Jenkins

Affected software:
Pipeline: Shared Groovy Libraries

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to the affected plugin does not restrict the names of resources passed to the "libraryResource" step. A remote user can create a specially crafted symbolic link to a critical file on the system and read arbitrary files on the Jenkins controller file system.

How to mitigate CVE-2022-25178

Install updates from vendor's website.

Sources

https://jenkins.io/security/advisory/2022-02-15/

UNIX symbolic link following in Pipeline: Shared Groovy Libraries - CVE-2022-25178

Detailed vulnerability description

How to mitigate CVE-2022-25178

Sources

Please verify you're human