CVE-2022-30947: Path traversal in Jenkins Git Mercurial and Repo Plugins
(updated )
Jenkins Git Plugin 4.11.1 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller’s file system using local paths as SCM URLs, obtaining limited information about other projects’ SCM contents.
References
- www.openwall.com/lists/oss-security/2022/05/17/8
- github.com/advisories/GHSA-84cm-vjwm-m979
- github.com/jenkinsci/git-plugin/commit/b295606e0b865c298fde27bea14f9b7535a976e6
- github.com/jenkinsci/mercurial-plugin/commit/55904fbb8c9d3e0b36fc26330374904cb68e8758
- github.com/jenkinsci/repo-plugin/commit/3c8e6236b1088fc138a1a3e6af5ebbcb8b616f2f
- nvd.nist.gov/vuln/detail/CVE-2022-30947
- www.jenkins.io/security/advisory/2022-05-17/
Detect and mitigate CVE-2022-30947 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →