GHSA-7w2w-fwpf-9m4h

Source

https://github.com/advisories/GHSA-7w2w-fwpf-9m4h

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-7w2w-fwpf-9m4h/GHSA-7w2w-fwpf-9m4h.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-7w2w-fwpf-9m4h

Aliases

CVE-2022-25181

Published

2022-02-16T00:01:32Z

Modified

2024-02-16T08:02:10.244452Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Jenkins Pipeline: Deprecated Groovy Libraries Plugin Protection Mechanism Failure

Details

Jenkins Pipeline: Deprecated Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the same workspace directory for all checkouts of Pipeline libraries with the same name regardless of the SCM being used and the source of the library configuration.

This allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM through crafted SCM contents, if a global Pipeline library already exists.

Pipeline: Deprecated Groovy Libraries Plugin 561.va_ce0de3c2d69 uses distinct checkout directories per SCM for Pipeline libraries.

Database specific

{
    "nvd_published_at": "2022-02-15T17:15:00Z",
    "cwe_ids": [
        "CWE-693"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-20T22:39:16Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins.workflow:workflow-cps-global-lib

Package

Name: org.jenkins-ci.plugins.workflow:workflow-cps-global-lib; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-global-lib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

561.va_ce0de3c2d69

Affected versions

0.*

0.1-beta-5

0.1-beta-6

0.1-beta-7

0.1-beta-8

1.*

1.0-beta-1

1.0

1.1

1.2

1.3

1.4

1.4.1

1.4.2

1.4.3-beta-1

1.4.3

1.5

1.6-alpha-1

1.6

1.7-alpha-1

1.7

1.8

1.9-beta-1

1.9

1.10-beta-1

1.10

1.10.1

1.11-beta-1

1.11-beta-2

1.11-beta-3

1.11-beta-4

1.11

1.12-beta-1

1.12-beta-2

1.12-beta-3

1.12

1.13

1.14-beta-1

1.14

1.14.1-beta-1

1.14.1

1.14.2

1.15-beta-1

1.15

2.*

2.0

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.8

2.9

2.10

2.11

2.12

2.12.1

2.13

2.13.1

2.14

2.15

2.16

2.17

2.18

2.18.1

2.19

2.20

2.21

2.21.1

2.21.3

544.*

544.vff04fa68714d

545.*

545.v7b28cce323cf

548.*

548.v9085a486966a

552.*

552.vd9cc05b8a2e1

552.554.vdba55efb9e88

Database specific

{
    "last_known_affected_version_range": "<= 552.vd9cc05b8a2e1"
}