UNIX symbolic link following in Pipeline: Multibranch - CVE-2022-25179
Published: February 16, 2022
Vulnerability identifier: #VU60643
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2022-25179
CWE-ID: CWE-61
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Jenkins
Affected software:
Pipeline: Multibranch
Pipeline: Multibranch
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to sensitive information on the system.
The vulnerability exists due to the affected plugin follows symbolic links to locations outside of the checkout directory for the configured SCM when reading files using the readTrusted step. A remote user can configure Pipelines permission to read arbitrary files on the Jenkins controller file system.
How to mitigate CVE-2022-25179
Install updates from vendor's website.