CVE-2022-25173

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in maven/org.jenkins-ci.plugins.workflow/workflow-cps

Identifiers

GHSA-4m7p-55jm-3vwv, CVE-2022-25173

Package Slug

maven/org.jenkins-ci.plugins.workflow/workflow-cps

Vulnerability

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.

Affected Versions

All versions up to 2648.va9433432b33c

Solution

Upgrade to version 2648.2651.v230593e03e9f or above.

Last Modified

2022-06-21

source