CVE-2022-25175

HIGH8.8EPSS 0.42%

Jenkins Pipeline: Multibranch Plugin vulnerable to OS Command Injection

發布日:2022/2/16修改日:2024/2/16

描述

Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier uses distinct checkout directories per SCM for the readTrusted step, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.

受影響套件(1)

Maven/org.jenkins-ci.plugins.workflow:workflow-multibranchfrom 0, < 707.v71c3f0a_6ccdb

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

參考連結(3)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-25175
WEBhttps://github.com/jenkinsci/workflow-multibranch-plugin/commit/71c3f0a6ccdb2ba43f43686826b0d62160df85e8
WEBhttps://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2463