CVE-2022-43405

A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary co...

PT-2022-26889 · Jenkins · Jenkins Pipeline: Shared Groovy Libraries Plugin +2

Name of the Vulnerable Software and Affected Versions: Jenkins Pipeline: Groovy Libraries Plugin versions 612.v84da 9c54906d and earlier Jenkins Pipeline: Deprecated Groovy Libraries Plugin versions 583.vf3b 454e43966 and earlier Description: A sandbox bypass issue allows attackers with permissio...

CVE-2022-43406

A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute...

RHEL 8 : OpenShift Container Platform 4.7.52 paackages (RHSA-2022:4909)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2022:4909 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or privat...

Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin

A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management SCM to effectively change the Pipeline...

Missing Authorization in Jenkins Pipeline: Shared Groovy Libraries Plugin

A missing permission check in Jenkins Pipeline: Shared Groovy Libraries Plugin 2.14 and earlier allowed users with Overall/Read access to obtain limited information about the content of SCM repositories referenced by global libraries...

RHEL 8 : OpenShift Container Platform 4.9.33 (RHSA-2022:2205)

The remote Redhat Enterprise Linux 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2022:2205 advisory. Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or privat...

Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin

A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management SCM to effectively change the Pipeline...

Jenkins Enterprise and Operations Center 2.303.x < 2.303.30.0.10 / 2.332.2.6 Multiple Vulnerabilities (CloudBees Security Advisory 2022-04-12)

The version of Jenkins Enterprise or Jenkins Operations Center running on the remote web server is 2.303.x prior to 2.303.30.0.10, or 2.x prior to 2.332.2.6. It is, therefore, affected by multiple vulnerabilities, including the following: - Jenkins Pipeline: Shared Groovy Libraries Plugin...

workflow-cps-global-lib: Sandbox bypass vulnerability

A flaw was found in Jenkins. The Pipeline: Shared Groovy Libraries plugin uses the names of Pipeline libraries to create cache directories without any sanitization. This flaw allows attackers with item/configure permission to execute arbitrary code in the context of the Jenkins controller JVM,...

workflow-cps-global-lib: Sandbox bypass vulnerability

A flaw was found in Jenkins. The Pipeline: Shared Groovy Libraries Plugin uses the same workspace directory for all checkouts of Pipeline libraries with the same name, regardless of the SCM used and the source of the library configuration. This flaw allows attackers with item/configure permission...

workflow-cps-global-lib: Pipeline-related plugins follow symbolic links or do not limit path names

A flaw was found in Jenkins. The Pipeline: Shared Groovy Libraries does not restrict the names of resources passed to the libraryResource step. This flaw allows attackers who can configure Pipelines to read arbitrary files on the Jenkins controller file system...

workflow-cps-global-lib: OS command execution through crafted SCM contents

A flaw was found in Jenkins. The JenkinsPipeline: Shared Groovy Libraries uses the same checkout directories for distinct SCMs for Pipeline libraries. This flaw allows attackers with item/configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents. This...

workflow-cps-global-lib: Sandbox bypass vulnerability

A flaw was found in Jenkins. The Pipeline: Shared Groovy Libraries plugin uses the names of Pipeline libraries to create cache directories without any sanitization. This flaw allows attackers with item/configure permission to execute arbitrary code in the context of the Jenkins controller JVM,...

Sandbox Bypass

Jenkins Pipeline is vulnerable to sandbox bypass. It uses the names of Pipeline libraries to create cache directories without any sanitization, allowing attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially crafted library...

workflow-cps-global-lib: Sandbox bypass vulnerability

A flaw was found in Jenkins. The Pipeline: Shared Groovy Libraries Plugin uses the names of Pipeline libraries to create directories without canonicalization or sanitization. This flaw allows attackers with item/configure permission to execute arbitrary code in the context of the Jenkins...

workflow-cps-global-lib: Sandbox bypass vulnerability

A flaw was found in Jenkins. The Pipeline: Shared Groovy Libraries plugin uses the names of Pipeline libraries to create cache directories without any sanitization. This flaw allows attackers with item/configure permission to execute arbitrary code in the context of the Jenkins controller JVM,...

workflow-cps-global-lib: Pipeline-related plugins follow symbolic links or do not limit path names

A flaw was found in Jenkins. The Pipeline: Shared Groovy Libraries does not restrict the names of resources passed to the libraryResource step. This flaw allows attackers who can configure Pipelines to read arbitrary files on the Jenkins controller file system...

workflow-cps-global-lib: Pipeline-related plugins follow symbolic links or do not limit path names

A flaw was found in Jenkins. The Pipeline: Shared Groovy Libraries follows symbolic links to locations outside of the expected Pipeline library when reading files using the libraryResource step. This flaw allows attackers who can configure Pipelines to read arbitrary files on the Jenkins controll...

workflow-cps-global-lib: OS command execution through crafted SCM contents

A flaw was found in Jenkins. The JenkinsPipeline: Shared Groovy Libraries uses the same checkout directories for distinct SCMs for Pipeline libraries. This flaw allows attackers with item/configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents. This...