CVE-2022-25176
Description
Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Pipeline: Groovy Plugin lets attackers read arbitrary files via symbolic link traversal when reading Pipeline script files.
Vulnerability
Jenkins Pipeline: Groovy Plugin versions 2648.va9433432b33c and earlier follow symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines. This allows attackers with Item/Configure permission to read arbitrary files on the Jenkins controller file system [1][2].
Exploitation
An attacker must have Item/Configure permission to configure a Pipeline. By crafting a Pipeline that uses a script file (Jenkinsfile) containing symbolic links pointing to files outside the checkout directory, the attacker can cause the plugin to follow the symlink and read the target file [1][2].
Impact
Successful exploitation allows the attacker to read arbitrary files from the Jenkins controller file system, leading to information disclosure. The attacker is limited to reading files that the Jenkins controller process has access to [1][2].
Mitigation
The vulnerability is fixed in Pipeline: Groovy Plugin version 2656.vf7a_e7b_75a_457, which uses distinct checkout directories per SCM when reading the script file [1]. Users should upgrade to this version or later. As a workaround, restrict Item/Configure permission to trusted users only [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins.workflow:workflow-cpsMaven | >= 2.93, < 2.94.1 | 2.94.1 |
org.jenkins-ci.plugins.workflow:workflow-cpsMaven | < 2.92.1 | 2.92.1 |
org.jenkins-ci.plugins.workflow:workflow-cpsMaven | >= 2.95, < 2648.2651.v230593e03e9f | 2648.2651.v230593e03e9f |
Affected products
2- Jenkins project/Jenkins Pipeline: Groovy Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-6473-gqrj-4p65ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25176ghsaADVISORY
- www.jenkins.io/security/advisory/2022-02-15/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-02-15Jenkins Security Advisories · Feb 15, 2022