CVE-2022-25177
MEDIUMJenkins Pipeline < 552.vd9cc05b8a2e1 - Arbitrary File Read via libraryResource Step
Title source: llmDescription
Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_confirm
https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613
Scores
CVSS v3
6.5
EPSS
0.0064
EPSS Percentile
70.8%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-59
Status
published
Products (2)
jenkins/pipeline\
< 552.vd9cc05b8a2e1
org.jenkins-ci.plugins.workflow/workflow-cps-global-lib
2.22 - 561.va_ce0de3c2d69Maven
Published
Feb 15, 2022
Tracked Since
Feb 18, 2026