CVE-2026-48921

Source
https://cve.org/CVERecord?id=CVE-2026-48921
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48921.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48921
Aliases
Published
2026-05-27T15:16:31.747Z
Modified
2026-07-15T06:10:17.430179Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

Jenkins Pipeline: Groovy Libraries Plugin 797.v90eaa9be45a0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.

References

Affected packages

Git / github.com/jenkinsci/pipeline-groovy-lib-plugin

Affected ranges

Type
GIT
Repo
https://github.com/jenkinsci/pipeline-groovy-lib-plugin
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:jenkins:pipeline\\:_groovy_libraries:*:*:*:*:*:*:*:*",
    "source": "CPE_RANGE",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "798.v5cc688825312"
        }
    ]
}

Affected versions

589.*
589.vb_a_b_4a_a_8c443c
591.*
591.v3a_7f422b_d058
593.*
593.va_a_fc25d520e9
598.*
598.vcd66b_a_336510
612.*
612.v84da_9c54906d
613.*
613.v9c41a_160233f
621.*
621.vb_44ce045b_582
629.*
629.vb_5627b_ee2104
656.*
656.va_a_ceeb_6ffb_f7
671.*
671.v07c339c842e8
673.*
673.vb_c5d5948283c
685.*
685.v8ee9ed91d574
687.*
687.v62591d623759
689.*
689.veec561a_dee13
700.*
700.v0e341fa_57d53
704.*
704.vc58b_8890a_384
710.*
710.v4b_94b_077a_808
727.*
727.ve832a_9244dfa_
730.*
730.ve57b_34648c63
740.*
740.va_2701257fe8d
744.*
744.v5b_556ee7c253
745.*
745.vdf6077913de0
749.*
749.v70084559234a_
751.*
751.v709f84f7d768
752.*
752.vdddedf804e72
763.*
763.v13008816b_de7
766.*
766.v2b_e08c2e6ff2
776.*
776.vfee5327b_b_a_5b_
787.*
787.ve2fef0efdca_6
797.*
797.v90ea_a_9b_e45a_0

Database specific

vanir_signatures
[
    {
        "source": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "72656283845224301365310572096345427899",
            "length": 3980.0
        },
        "id": "CVE-2026-48921-2d3976b7",
        "signature_type": "Function",
        "target": {
            "function": "doRetrieve",
            "file": "src/main/java/org/jenkinsci/plugins/workflow/libs/SCMBasedRetriever.java"
        }
    },
    {
        "source": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "251979580115318692229218899962687648778",
                "174998602760317192040151353164042922787",
                "88195518546502241173675227681388088713",
                "154527407684054825527926744227986417248",
                "103130227761527551167557635145230382077",
                "122166725084250685294658455587807955919",
                "247527537563805095468574862494952666897",
                "2911532029258497559364649457357432427",
                "292617559636662682115880908568957697529",
                "257697839725486107349119268159641727836",
                "249748238905822826680902554433092891693",
                "301330057814195189920393384042041120655",
                "115110573693560218960484084620930363333"
            ]
        },
        "id": "CVE-2026-48921-548fb0d0",
        "signature_type": "Line",
        "target": {
            "file": "src/test/java/org/jenkinsci/plugins/workflow/libs/SCMSourceRetrieverTest.java"
        }
    },
    {
        "source": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "215937122373796502109191090231335485637",
                "46914635653444291413639397216790752478",
                "109123133880426082159907658234270545242",
                "319231720322609567832271823391192995748"
            ]
        },
        "id": "CVE-2026-48921-59651ceb",
        "signature_type": "Line",
        "target": {
            "file": "src/test/java/org/jenkinsci/plugins/workflow/libs/ResourceStepTest.java"
        }
    },
    {
        "source": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "262427193025924656186401405481482339666",
            "length": 1143.0
        },
        "id": "CVE-2026-48921-61a22995",
        "signature_type": "Function",
        "target": {
            "function": "symlinksInLibraryResourcesAreNotAllowedToEscapeWorkspaceContext",
            "file": "src/test/java/org/jenkinsci/plugins/workflow/libs/ResourceStepTest.java"
        }
    },
    {
        "source": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "function_hash": "62380524346465266434943186139516761548",
            "length": 3672.0
        },
        "id": "CVE-2026-48921-70b78246",
        "signature_type": "Function",
        "target": {
            "function": "retrieve",
            "file": "src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryAdder.java"
        }
    },
    {
        "source": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "60662566486544379435341622630030831311",
                "187832888546101599058657129020576564408",
                "337652553324878761854784438942634422758",
                "62250684697871037299317247947736883245",
                "97519431344735015928937021410740131493",
                "308833712860095179650833958774660384536",
                "35491868682322131630027765155179054267",
                "329418057557900408003709734989706799379"
            ]
        },
        "id": "CVE-2026-48921-a7842a01",
        "signature_type": "Line",
        "target": {
            "file": "src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryAdder.java"
        }
    },
    {
        "source": "https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f",
        "deprecated": false,
        "signature_version": "v1",
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "140358151189412432502161373531137462280",
                "313006434286295430871162023259870558341",
                "116965373023178036325345523943501072199",
                "174012181602255372481603887611415911943",
                "151698437681026150919613016885079515193",
                "25991861100952883382001140085644960093",
                "272205592973470567086003009887811002051",
                "321192353035999880943423934767185693186",
                "335686708531239172395992492277289658567",
                "329963945152930438478869758782656414947",
                "108712305264454434216805754402809302544",
                "332239236242080749220241827485691247992",
                "274229069181856472620183768051795938726",
                "8376996099183153766262120323856755825",
                "326059997309244637837587532572144558116"
            ]
        },
        "id": "CVE-2026-48921-c1cc94e5",
        "signature_type": "Line",
        "target": {
            "file": "src/main/java/org/jenkinsci/plugins/workflow/libs/SCMBasedRetriever.java"
        }
    }
]
vanir_signatures_modified
"2026-07-15T06:10:17Z"
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48921.json"