Jenkins Pipeline: Deprecated Groovy Libraries Plugin Protection Mechanism Failure
High severity
GitHub Reviewed
Published
Feb 16, 2022
to the GitHub Advisory Database
•
Updated Dec 22, 2023
Package
Affected versions
<= 552.vd9cc05b8a2e1
Patched versions
561.va_ce0de3c2d69
Description
Published by the National Vulnerability Database
Feb 15, 2022
Published to the GitHub Advisory Database
Feb 16, 2022
Reviewed
Jun 20, 2022
Last updated
Dec 22, 2023
Jenkins Pipeline: Deprecated Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the names of Pipeline libraries to create directories without canonicalization or sanitization.
This allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially crafted library names if a global Pipeline library is already configured.
Pipeline: Deprecated Groovy Libraries Plugin 561.va_ce0de3c2d69 sanitizes the names of Pipeline libraries when creating library directories.
References