CVE-2022-25178
Description
Jenkins Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier does not restrict the names of resources passed to the libraryResource step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Pipeline: Shared Groovy Libraries Plugin allows arbitrary file read via libraryResource step due to insufficient resource name validation, enabling attackers with Pipelines permission to leak sensitive files.
Vulnerability
The Jenkins Pipeline: Shared Groovy Libraries Plugin, versions 552.vd9cc05b8a2e1 and earlier, does not restrict the names of resources passed to the libraryResource step. This allows an attacker who can configure Pipelines (i.e., has the Pipelines permission) to specify arbitrary file paths on the Jenkins controller file system, leading to reading arbitrary files. [1][2]
Exploitation
An attacker with the ability to configure Pipelines (typically granted by the Job/Configure permission) can craft a Pipeline script that uses the libraryResource step with a malicious resource name pointing to an arbitrary file path on the controller. The step will then read and return the contents of the file, which can be exfiltrated via the build output or other means. [1]
Impact
Successful exploitation allows the attacker to read arbitrary files from the Jenkins controller file system, including sensitive configuration files, credentials, and secrets. This can lead to a complete compromise of the Jenkins instance and its managed systems. [1][2]
Mitigation
Jenkins has released an updated version of the Pipeline: Shared Groovy Libraries Plugin that restricts resource names to a safe set. Users should upgrade to the latest version of the plugin. As of the advisory date, no version number is explicitly provided in the references, but the fix is available in the plugin's repository. [1][3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins.workflow:workflow-cps-global-libMaven | >= 2.22, < 561.va_ce0de3c2d69 | 561.va_ce0de3c2d69 |
org.jenkins-ci.plugins.workflow:workflow-cps-global-libMaven | >= 2.19, < 2.21.1 | 2.21.1 |
org.jenkins-ci.plugins.workflow:workflow-cps-global-libMaven | < 2.18.1 | 2.18.1 |
Affected products
2- ghsa-coordsRange: >= 2.22, < 561.va_ce0de3c2d69
- Jenkins project/Jenkins Pipeline: Shared Groovy Libraries Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-5hfv-mg5x-mv32ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-25178ghsaADVISORY
- www.jenkins.io/security/advisory/2022-02-15/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2022-02-15Jenkins Security Advisories · Feb 15, 2022