CVE-2022-25178 — Improper Limitation of a Pathname to a Restricted Directory in Jenkins Pipeline:

Description

Jenkins Pipeline: Shared Groovy Libraries Plugin does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.

How to fix CVE-2022-25178

To remediate CVE-2022-25178, upgrade the affected package to a fixed version below.

—upgrade to 561.va_ce0de3c2d69 or later

Is CVE-2022-25178 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.22, < 561.va_ce0de3c2d69

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-25178
PATCHgithub.com/jenkinsci/workflow-cps-global-lib-plugin
WEBwww.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613