CVE-2022-25183Incorrect Behavior Order: Early Validation in Project Jenkins Pipeline Shared Groovy Libraries Plugin

CWE-179Incorrect Behavior Order: Early ValidationCWE-693Protection Mechanism Failure6 documents6 sources
Severity
8.8HIGHNVD
EPSS
0.4%
top 39.53%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Pipeline Shared Groovy Libraries PluginJenkins Pipeline
Timeline
PublishedFeb 15
Latest updateFeb 16

Description

Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the names of Pipeline libraries to create cache directories without any sanitization, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially crafted library names if a global Pipeline library configured to use caching already exists.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

NVDjenkins/pipeline552.vd9cc05b8a2e1

Patches

Patch: www.jenkins.ioPatch: www.jenkins.io

🔴Vulnerability Details

3
GHSA
Jenkins Pipeline: Deprecated Groovy Libraries Plugin Protection Mechanism Failure2022-02-16
OSV
Jenkins Pipeline: Deprecated Groovy Libraries Plugin Protection Mechanism Failure2022-02-16
CVEList
CVE-2022-25183: Jenkins Pipeline: Shared Groovy Libraries Plugin 5522022-02-15

📋Vendor Advisories

2
Red Hat
workflow-cps-global-lib: Sandbox bypass vulnerability2022-02-15
Jenkins
Jenkins Security Advisory 2022-02-152022-02-15
CVE-2022-25183 — HIGH severity | cvebase