Main Vulnerability Database Vulnerabilities #VU60634

#VU60634 UNIX symbolic link following in Pipeline: Groovy - CVE-2022-25176

Published: February 16, 2022

Vulnerability identifier: #VU60634

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-25176

CWE-ID: CWE-61

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Pipeline: Groovy

Software vendor:
Jenkins

Description

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to the affected plugin follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines. A remote user can create a specially crafted symbolic link to a critical file on the system and gain access to sensitive information.

Remediation

Install updates from vendor's website.

External links

https://jenkins.io/security/advisory/2022-02-15/