CVE-2022-25175
📋 TL;DR
This vulnerability in Jenkins Pipeline: Multibranch Plugin allows attackers with Item/Configure permission to execute arbitrary operating system commands on the Jenkins controller by exploiting shared checkout directories in the readTrusted step. It affects Jenkins instances using the vulnerable plugin versions, potentially leading to complete system compromise.
💻 Affected Systems
- Jenkins Pipeline: Multibranch Plugin
📦 What is this software?
Pipeline\ by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of the Jenkins controller with attacker gaining root/system-level access, allowing data theft, lateral movement, and persistent backdoor installation.
Likely Case
Attackers with Item/Configure permission execute commands to steal credentials, modify pipelines, or deploy malware within the Jenkins environment.
If Mitigated
Limited impact if proper access controls restrict Item/Configure permissions to trusted administrators only.
🎯 Exploit Status
Exploitation requires Item/Configure permission but is straightforward once that access is obtained. The vulnerability is in the SCM checkout directory handling.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 707.vddb_a_714a_ff24 and later
Vendor Advisory: https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2463
Restart Required: Yes
Instructions:
1. Update Jenkins Pipeline: Multibranch Plugin to version 707.vddb_a_714a_ff24 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update. 3. Verify the plugin version in Manage Jenkins > Manage Plugins.
🔧 Temporary Workarounds
Restrict Item/Configure Permissions
allLimit Item/Configure permissions to only trusted administrators to prevent exploitation.
Configure Jenkins security matrix to restrict permissions
Disable Vulnerable Plugin
allTemporarily disable the Pipeline: Multibranch Plugin if not essential.
Manage Jenkins > Manage Plugins > Installed > Pipeline: Multibranch Plugin > Disable
🧯 If You Can't Patch
- Implement strict access controls to limit Item/Configure permissions to minimal trusted users only.
- Monitor Jenkins logs for suspicious SCM checkout activities and command execution attempts.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in Jenkins web interface: Manage Jenkins > Manage Plugins > Installed > Pipeline: Multibranch Plugin. If version is 706.vd43c65dec013 or earlier, you are vulnerable.Check Version:
curl -s http://jenkins-host/pluginManager/api/json?depth=1 | grep -o '"shortName":"pipeline-multibranch-defaults","version":"[^"]*"'Verify Fix Applied:
Verify plugin version is 707.vddb_a_714a_ff24 or later in Manage Jenkins > Manage Plugins > Installed.📡 Detection & Monitoring
Log Indicators:
- Unusual SCM checkout patterns in Jenkins logs
- Unexpected OS command execution in pipeline logs
- Failed permission attempts for Item/Configure actions
Network Indicators:
- Unusual outbound connections from Jenkins controller to external systems
SIEM Query:
source="jenkins.log" AND ("readTrusted" OR "checkout" OR "SCM") AND ("command" OR "exec" OR "Runtime.getRuntime")