CVE-2022-25176
MEDIUMJenkins Pipeline < 2648.va9433432b33c - Arbitrary File Read via Symbolic Link Following
Title source: llmDescription
Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_confirm
https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613
Scores
CVSS v3
6.5
EPSS
0.0064
EPSS Percentile
70.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-59
Status
published
Products (2)
jenkins/pipeline\
< 2648.va9433432b33c
org.jenkins-ci.plugins.workflow/workflow-cps
2.93 - 2.94.1Maven
Published
Feb 15, 2022
Tracked Since
Feb 18, 2026