VDB
CVE-2022-25178
CVE-2022-25178
PUBLISHED
CVSS 6.5 MEDIUM
Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.
EPSS 0.30% · 53.2th percentile
Risk Scores
CVSS 3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score
0.30%
53.2th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins project | Jenkins Pipeline: Shared Groovy Libraries Plugin | 2.21.1, unspecified, 2.18.1 |
| jenkins | pipeline\ | * |
| Maven | org.jenkins-ci.plugins.workflow:workflow-cps-global-lib | 2.22, 2.19, 0 |
Exploit Intelligence
- CIRCL seen: CVE-2022-25178 (circl-sighting)
- https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613 (circl)
Timeline
- Feb 15, 2022 CVE Published
- Feb 15, 2022 PoC Published
- Feb 16, 2022 EPSS Score
- Apr 9, 2022 EPSS Score
- May 31, 2022 EPSS Score
- Jul 24, 2022 EPSS Score
- Sep 14, 2022 EPSS Score
- Nov 5, 2022 EPSS Score
- Dec 27, 2022 EPSS Score
- Feb 17, 2023 EPSS Score
- Mar 7, 2023 EPSS Score
- Apr 10, 2023 EPSS Score