Cyber Resilience

CVE-2022-25176

Medium

Published: 15 February 2022

Published
15 February 2022
Modified
21 November 2024
KEV Added
Patch
15 February 2022
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0064 71.1th percentile
Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-25176 is a medium-severity Link Following (CWE-59) vulnerability in Jenkins Pipeline\. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 28.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers able to configure Pipelines to read arbitrary files…

more

on the Jenkins controller file system.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jenkins
pipeline\
_groovy

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References