CVE-2022-25175

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in maven/org.jenkins-ci.plugins.workflow/workflow-multibranch

Identifiers

GHSA-pj84-qjm3-77mg, CVE-2022-25175

Package Slug

maven/org.jenkins-ci.plugins.workflow/workflow-multibranch

Vulnerability

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Description

Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier uses distinct checkout directories per SCM for the readTrusted step, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.

Affected Versions

All versions up to 706.vd43c65dec013

Solution

Upgrade to version 707.v71c3f0a_6ccdb or above.

Last Modified

2022-06-21

source