CVE-2022-25179

Vulnerability

Jenkins Pipeline: Multibranch Plugin versions 706.vd43c65dec013 and earlier contain a symbolic link vulnerability in the readTrusted step. When reading files, the plugin follows symbolic links to locations outside of the checkout directory for the configured SCM, even when the step is intended to restrict access to within the checkout directory. This affects the plugin used for Pipeline multibranch projects and the readTrusted step which is designed to securely read files from the SCM workspace [1][2].

Exploitation

An attacker must have the ability to configure Pipelines, specifically the Item/Configure permission, on a Jenkins instance. The attacker can craft SCM contents (e.g., create a symbolic link pointing outside the checkout directory in the repository being checked out). When the readTrusted step is executed on a Jenkins agent (or the controller), the plugin follows the symbolic link and reads the target file outside the intended boundaries. No user interaction beyond the pipeline execution is required [1][2].

Impact

Successful exploitation allows the attacker to read arbitrary files from the Jenkins controller file system, potentially including sensitive configuration files, credentials, or other secrets. This is a confidentiality impact, with no direct impact on integrity or availability [1][2].

Mitigation

Jenkins has released Pipeline: Multibranch Plugin version 706.vd43c65dec013 and later? The advisory states affected plugin versions are 706.vd43c65dec013 and earlier, but does not specify the fixed version number. Users should upgrade to the latest available version of the plugin from the Jenkins update center. If upgrading is not possible, restrict Item/Configure permissions to trusted users only until the patch is applied [1].