Login Sign Up

CVE-2022-25173

8.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Jenkins Pipeline: Groovy Plugin allows attackers with Item/Configure permission to execute arbitrary operating system commands on the Jenkins controller by exploiting shared checkout directories between different SCMs. It affects Jenkins instances using the vulnerable plugin version, potentially leading to full system compromise.

💻 Affected Systems

Products:
  • Jenkins Pipeline: Groovy Plugin
Versions: 2648.va9433432b33c and earlier
Operating Systems: All platforms running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Jenkins with Pipeline projects using the vulnerable plugin version.

📦 What is this software?

Pipeline\ by Jenkins

View all CVEs affecting Pipeline\ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the Jenkins controller with arbitrary command execution, leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Attackers with Item/Configure permission execute commands to steal credentials, modify pipelines, or deploy malware.

🟢

If Mitigated

Limited impact if proper access controls restrict Item/Configure permissions to trusted users only.

🌐 Internet-Facing: HIGH if Jenkins is internet-facing and attackers can obtain Item/Configure permissions.
🏢 Internal Only: MEDIUM as it requires authenticated access with specific permissions.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires Item/Configure permission and knowledge of Jenkins pipeline scripting.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2648.va9433432b33c_rc or later

Vendor Advisory: https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2463

Restart Required: Yes

Instructions:

1. Update Jenkins Pipeline: Groovy Plugin to version 2648.va9433432b33c_rc or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update.

🔧 Temporary Workarounds

Restrict Item/Configure Permissions

all

Limit Item/Configure permissions to only trusted administrators to reduce attack surface.

🧯 If You Can't Patch

  • Implement strict access controls to limit Item/Configure permissions to essential users only.
  • Monitor Jenkins logs for unusual pipeline modifications or command execution attempts.

🔍 How to Verify

Check if Vulnerable:

Check Jenkins Plugin Manager for Jenkins Pipeline: Groovy Plugin version. If version is 2648.va9433432b33c or earlier, the system is vulnerable.

Check Version:

Navigate to Jenkins > Manage Jenkins > Plugin Manager and check installed version of 'Pipeline: Groovy Plugin'.

Verify Fix Applied:

Verify plugin version is 2648.va9433432b33c_rc or later in Jenkins Plugin Manager.

📡 Detection & Monitoring

Log Indicators:

  • Unusual pipeline modifications
  • Unexpected SCM checkout activities
  • OS command execution in pipeline logs

Network Indicators:

  • Unusual outbound connections from Jenkins controller

SIEM Query:

source="jenkins.log" AND ("Pipeline: Groovy" OR "SCM checkout") AND ("command" OR "execute")

📊 Metadata

CVE ID: CVE-2022-25173
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: February 15, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25173, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)