VDB

CVE-2022-25177

CVE-2022-25177 PUBLISHED CVSS 6.5 MEDIUM

Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.

EPSS 0.64% · 70.9th percentile

Risk Scores

CVSS v3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score
0.64%
70.9th percentile

Affected Products

VendorProductVersions
Jenkins projectJenkins Pipeline: Shared Groovy Libraries Plugin*, 2.21.1, 2.18.1
jenkinspipeline\*
Mavenorg.jenkins-ci.plugins.workflow:workflow-cps-global-lib2.22, 0, 2.19

Timeline

  • Feb 15, 2022 CVE Published
  • Feb 16, 2022 EPSS Score
  • Apr 9, 2022 EPSS Score
  • May 31, 2022 EPSS Score
  • Jul 23, 2022 EPSS Score
  • Sep 13, 2022 EPSS Score
  • Nov 5, 2022 EPSS Score
  • Dec 27, 2022 EPSS Score
  • Feb 17, 2023 EPSS Score
  • Apr 10, 2023 EPSS Score
  • Jun 1, 2023 EPSS Score
  • Jul 23, 2023 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›