CVE-2022-25181: Jenkins Pipeline: Deprecated Groovy Libraries Plugin Protection Mechanism Failure
8.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.3739%
CWE
Published
2/16/2022
Updated
12/22/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins.workflow:workflow-cps-global-lib | maven | <= 552.vd9cc05b8a2e1 | 561.va_ce0de3c2d69 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stemmed from using non-unique workspace directories based solely on library names. The commit diff shows:
- LibraryAdder's retrieve() originally used 'libs/ + name' directory paths
- SCMSourceRetriever's doRetrieve() used baseWorkspace + name without SCM context These implementations failed to account for SCM source differences, allowing workspace collisions. The patch introduced directoryNameFor() with HMAC hashing of name/version/trusted/source parameters to ensure uniqueness.