[MAVEN:GHSA-8VFC-FCR2-47PJ] Path traversal in Jenkins REPO Plugin

Severity Low

Affected Packages 3

Fixed Packages 3

CVEs 1

SCMs support a number of different URL schemes, including local file system paths (e.g. using file: URLs).

Historically in Jenkins, only agents checked out from SCM, and if multiple projects share the same agent, there is no expected isolation between builds besides using different workspaces unless overridden. Some Pipeline-related features check out SCMs from the Jenkins controller as well.

This allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller’s file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/repo	< 1.14.1
pkg:maven/org.jenkins-ci.plugins/mercurial	< 2.16.1
pkg:maven/org.jenkins-ci.plugins/git	< 4.11.2

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/repo	= 1.14.1
pkg:maven/org.jenkins-ci.plugins/mercurial	= 2.16.1
pkg:maven/org.jenkins-ci.plugins/git	= 4.11.2

ID

MAVEN:GHSA-8VFC-FCR2-47PJ

Severity

low

URL

https://github.com/advisories/GHSA-8vfc-fcr2-47pj

Published

2022-05-18T00:00:40
(2 years ago)

Modified

2023-12-15T09:11:04
(9 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-2478

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2022-30949
			https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478
			http://www.openwall.com/lists/oss-security/2022/05/17/8
			https://github.com/jenkinsci/repo-plugin/commit/8c9cbb88baffc64d1b63183235eb86c773108235
			https://github.com/jenkinsci/git-plugin/commit/b295606e0b865c298fde27bea14f9b7535a976e6
			https://github.com/jenkinsci/mercurial-plugin/commit/55904fbb8c9d3e0b36fc26330374904cb68e8758
			https://github.com/advisories/GHSA-8vfc-fcr2-47pj

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/repo	org.jenkins-ci.plugins	repo	< 1.14.1
Fixed	pkg:maven/org.jenkins-ci.plugins/repo	org.jenkins-ci.plugins	repo	= 1.14.1
Affected	pkg:maven/org.jenkins-ci.plugins/mercurial	org.jenkins-ci.plugins	mercurial	< 2.16.1
Fixed	pkg:maven/org.jenkins-ci.plugins/mercurial	org.jenkins-ci.plugins	mercurial	= 2.16.1
Affected	pkg:maven/org.jenkins-ci.plugins/git	org.jenkins-ci.plugins	git	< 4.11.2
Fixed	pkg:maven/org.jenkins-ci.plugins/git	org.jenkins-ci.plugins	git	= 4.11.2

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date