Miggo Logo

CVE-2022-25181: Jenkins Pipeline: Deprecated Groovy Libraries Plugin Protection Mechanism Failure

8.8

CVSS Score
3.1

Basic Information

EPSS Score
0.3739%
Published
2/16/2022
Updated
12/22/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins.workflow:workflow-cps-global-libmaven<= 552.vd9cc05b8a2e1561.va_ce0de3c2d69

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from using non-unique workspace directories based solely on library names. The commit diff shows:

  1. LibraryAdder's retrieve() originally used 'libs/ + name' directory paths
  2. SCMSourceRetriever's doRetrieve() used baseWorkspace + name without SCM context These implementations failed to account for SCM source differences, allowing workspace collisions. The patch introduced directoryNameFor() with HMAC hashing of name/version/trusted/source parameters to ensure uniqueness.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins Pip*lin*: **pr***t** *roovy Li*r*ri*s Plu*in ***.v************ *n* **rli*r us*s t** s*m* worksp*** *ir**tory *or *ll ****kouts o* Pip*lin* li*r*ri*s wit* t** s*m* n*m* r***r*l*ss o* t** S*M **in* us** *n* t** sour** o* t** li*r*ry *on*i*ur*ti

Reasoning

T** vuln*r**ility st*mm** *rom usin* non-uniqu* worksp*** *ir**tori*s **s** sol*ly on li*r*ry n*m*s. T** *ommit *i** s*ows: *. Li*r*ry****r's r*tri*v*() ori*in*lly us** 'li*s/ + n*m*' *ir**tory p*t*s *. S*MSour**R*tri*v*r's *oR*tri*v*() us** **s*Work