VYPR
High severityNVD Advisory· Published Feb 15, 2022· Updated Aug 3, 2024

CVE-2022-25173

CVE-2022-25173

Description

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins.workflow:workflow-cpsMaven
>= 2646.v6ed3b5b01ff1, < 2656.vf7a2656.vf7a
org.jenkins-ci.plugins.workflow:workflow-cpsMaven
>= 2.93, < 2.94.12.94.1
org.jenkins-ci.plugins.workflow:workflow-cpsMaven
< 2.92.12.92.1

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

1