CVE-2022-25175

HIGH8.8EPSS 0.42%

Jenkins Pipeline: Multibranch Plugin vulnerable to OS Command Injection

Published: 2/16/2022Modified: 2/16/2024

Description

Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier uses distinct checkout directories per SCM for the readTrusted step, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.

Affected packages (1)

Maven/org.jenkins-ci.plugins.workflow:workflow-multibranchfrom 0, < 707.v71c3f0a_6ccdb

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-25175
WEBhttps://github.com/jenkinsci/workflow-multibranch-plugin/commit/71c3f0a6ccdb2ba43f43686826b0d62160df85e8
WEBhttps://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2463