3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-30948

GHSA ID

GHSA-5786-3qjg-mr88

EPSS Score

0.8468%

CWE

CWE-22

Published

5/18/2022

Updated

1/28/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-30948

CVE-2022-30948: Path traversal in Jenkins Mercurial Plugin

SCMs support a number of different URL schemes, including local file system paths (e.g. using file: URLs).

Historically in Jenkins, only agents checked out from SCM, and if multiple projects share the same agent, there is no expected isolation between builds besides using different workspaces unless overridden. Some Pipeline-related features check out SCMs from the Jenkins controller as well.

This allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller’s file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents

(GitHub Advisory)

3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-30948

GHSA ID

GHSA-5786-3qjg-mr88

EPSS Score

0.8468%

CWE

CWE-22

Published

5/18/2022

Updated

1/28/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:mercurial	maven	<= 2.16	2.16.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the checkout method's lack of validation for local path-based SCM URLs when executed on the Jenkins controller (non-remote workspace). The patch introduced a new abortIfSourceLocal() check to block local paths unless explicitly allowed, confirming the original method's insecure behavior. The added test cases in Security2478Test.java explicitly validate this scenario, demonstrating that the pre-patch checkout method permitted insecure local checkouts.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*Ms support * num**r o* *i***r*nt URL s***m*s, in*lu*in* lo**l *il* syst*m p*t*s (*.*. usin* *il*: URLs). *istori**lly in J*nkins, only ***nts ****k** out *rom S*M, *n* i* multipl* proj**ts s**r* t** s*m* ***nt, t**r* is no *xp**t** isol*tion **tw*

Reasoning

T** vuln*r**ility st*ms *rom t** ****kout m*t*o*'s l**k o* v*li**tion *or lo**l p*t*-**s** S*M URLs w**n *x**ut** on t** J*nkins *ontroll*r (non-r*mot* worksp***). T** p*t** intro*u*** * n*w `**ortI*Sour**Lo**l()` ****k to *lo*k lo**l p*t*s unl*ss *x

3.7

Basic Information

Concerned about an active attack path?

CVE-2022-30948: Path traversal in Jenkins Mercurial Plugin

3.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI