GHSA-q234-x887-9rxh

Source

https://github.com/advisories/GHSA-q234-x887-9rxh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-q234-x887-9rxh/GHSA-q234-x887-9rxh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-q234-x887-9rxh

Aliases

CVE-2022-25177

Published

2022-02-16T00:01:35Z

Modified

2023-11-08T04:08:42.190805Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Improper Link Resolution Before File Access in Jenkins Pipeline: Shared Groovy Libraries Plugin

Details

Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.

Database specific

{
    "nvd_published_at": "2022-02-15T17:15:00Z",
    "cwe_ids": [
        "CWE-59"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-06-20T22:46:46Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins.workflow:workflow-cps-global-lib

Package

Name: org.jenkins-ci.plugins.workflow:workflow-cps-global-lib; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-global-lib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.22

Fixed

561.va_ce0de3c2d69

Affected versions

544.*

544.vff04fa68714d

545.*

545.v7b28cce323cf

548.*

548.v9085a486966a

552.*

552.vd9cc05b8a2e1

552.554.vdba55efb9e88

Database specific

{
    "last_known_affected_version_range": "<= 552.vd9cc05b8a2e1"
}

Maven / org.jenkins-ci.plugins.workflow:workflow-cps-global-lib

Package

Name: org.jenkins-ci.plugins.workflow:workflow-cps-global-lib; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-global-lib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.19

Fixed

2.21.1

Affected versions

2.*

2.19

2.20

2.21

Maven / org.jenkins-ci.plugins.workflow:workflow-cps-global-lib

Package

Name: org.jenkins-ci.plugins.workflow:workflow-cps-global-lib; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-global-lib

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.18.1

Affected versions

0.*

0.1-beta-5

0.1-beta-6

0.1-beta-7

0.1-beta-8

1.*

1.0-beta-1

1.0

1.1

1.2

1.3

1.4

1.4.1

1.4.2

1.4.3-beta-1

1.4.3

1.5

1.6-alpha-1

1.6

1.7-alpha-1

1.7

1.8

1.9-beta-1

1.9

1.10-beta-1

1.10

1.10.1

1.11-beta-1

1.11-beta-2

1.11-beta-3

1.11-beta-4

1.11

1.12-beta-1

1.12-beta-2

1.12-beta-3

1.12

1.13

1.14-beta-1

1.14

1.14.1-beta-1

1.14.1

1.14.2

1.15-beta-1

1.15

2.*

2.0

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.8

2.9

2.10

2.11

2.12

2.12.1

2.13

2.13.1

2.14

2.15

2.16

2.17

2.18