GHSA-4m7p-55jm-3vwv, CVE-2022-25173
maven/org.jenkins-ci.plugins.workflow/workflow-cps
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.
All versions up to 2648.va9433432b33c
Upgrade to version 2648.2651.v230593e03e9f or above.
2022-06-21
source |