Miggo Logo

CVE-2022-30948: Path traversal in Jenkins Mercurial Plugin

3.7

CVSS Score
3.1

Basic Information

EPSS Score
0.8468%
Published
5/18/2022
Updated
1/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:mercurialmaven<= 2.162.16.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the checkout method's lack of validation for local path-based SCM URLs when executed on the Jenkins controller (non-remote workspace). The patch introduced a new abortIfSourceLocal() check to block local paths unless explicitly allowed, confirming the original method's insecure behavior. The added test cases in Security2478Test.java explicitly validate this scenario, demonstrating that the pre-patch checkout method permitted insecure local checkouts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*Ms support * num**r o* *i***r*nt URL s***m*s, in*lu*in* lo**l *il* syst*m p*t*s (*.*. usin* *il*: URLs). *istori**lly in J*nkins, only ***nts ****k** out *rom S*M, *n* i* multipl* proj**ts s**r* t** s*m* ***nt, t**r* is no *xp**t** isol*tion **tw*

Reasoning

T** vuln*r**ility st*ms *rom t** ****kout m*t*o*'s l**k o* v*li**tion *or lo**l p*t*-**s** S*M URLs w**n *x**ut** on t** J*nkins *ontroll*r (non-r*mot* worksp***). T** p*t** intro*u*** * n*w `**ortI*Sour**Lo**l()` ****k to *lo*k lo**l p*t*s unl*ss *x