CVE-2022-25176

Improper Link Resolution Before File Access ('Link Following') in maven/org.jenkins-ci.plugins.workflow/workflow-cps

Identifiers

GHSA-6473-gqrj-4p65, CVE-2022-25176

Package Slug

maven/org.jenkins-ci.plugins.workflow/workflow-cps

Vulnerability

Improper Link Resolution Before File Access ('Link Following')

Description

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.

Affected Versions

All versions up to 2648.va9433432b33c

Solution

Upgrade to version 2648.2651.v230593e03e9f or above.

Last Modified

2022-06-21

source