CVE-2022-25177
Description
Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Pipeline: Shared Groovy Libraries Plugin follows symlinks via libraryResource, allowing attackers to read arbitrary controller files.
Vulnerability
Jenkins Pipeline: Shared Groovy Libraries Plugin version 552.vd9cc05b8a2e1 and earlier follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step [1][2]. This allows attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system [1][2].
Exploitation
An attacker must have the ability to configure Pipelines (e.g., Item/Configure permission) in order to exploit this vulnerability [1]. By crafting a Pipeline that uses the libraryResource step to read a file that is a symbolic link pointing outside the intended library directory, the attacker can cause the plugin to read arbitrary files on the controller's file system [1][2].
Impact
On successful exploitation, an attacker gains the ability to read arbitrary files from the Jenkins controller file system [1][2]. This could lead to disclosure of sensitive information such as credentials, configuration files, or source code stored on the controller.
Mitigation
Jenkins has released updated versions of the Pipeline: Shared Groovy Libraries Plugin that address this issue [1]. Users should upgrade to the latest version available from the Jenkins update center. No workarounds are provided in the available references [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins.workflow:workflow-cps-global-libMaven | >= 2.22, < 561.va_ce0de3c2d69 | 561.va_ce0de3c2d69 |
org.jenkins-ci.plugins.workflow:workflow-cps-global-libMaven | >= 2.19, < 2.21.1 | 2.21.1 |
org.jenkins-ci.plugins.workflow:workflow-cps-global-libMaven | < 2.18.1 | 2.18.1 |
Affected products
2- ghsa-coordsRange: >= 2.22, < 561.va_ce0de3c2d69
- Jenkins project/Jenkins Pipeline: Shared Groovy Libraries Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-q234-x887-9rxhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25177ghsaADVISORY
- www.jenkins.io/security/advisory/2022-02-15/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-02-15Jenkins Security Advisories · Feb 15, 2022