Main Vulnerability Database Vulnerabilities #VU60638

#VU60638 UNIX symbolic link following in Pipeline: Shared Groovy Libraries - CVE-2022-25178

Published: February 16, 2022

Vulnerability identifier: #VU60638

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2022-25178

CWE-ID: CWE-61

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Pipeline: Shared Groovy Libraries

Software vendor:
Jenkins

Description

The vulnerability allows a remote attacker to gain access to sensitive information on the system.

The vulnerability exists due to the affected plugin does not restrict the names of resources passed to the "libraryResource" step. A remote user can create a specially crafted symbolic link to a critical file on the system and read arbitrary files on the Jenkins controller file system.

Remediation

Install updates from vendor's website.

External links

https://jenkins.io/security/advisory/2022-02-15/