CVE-2022-25183 – This vulnerability in Jenkins Pipeline: Shared ... (How to Fix)

Q: What is the severity of CVE-2022-25183?

CVE-2022-25183 has a CVSS score of 8.8 (HIGH). This vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin allows attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller by exploiting unsanitized library names in cache directory creation. It affects Jenkins instances with global Pipeline libraries configured to use caching, enabling remote code execution in the Jenkins JVM context.

📋 TL;DR

This vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin allows attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller by exploiting unsanitized library names in cache directory creation. It affects Jenkins instances with global Pipeline libraries configured to use caching, enabling remote code execution in the Jenkins JVM context.

💻 Affected Systems

Products:

Jenkins Pipeline: Shared Groovy Libraries Plugin

Versions: 552.vd9cc05b8a2e1 and earlier

Operating Systems: All platforms running Jenkins

Default Config Vulnerable: ✅ No

Notes: Requires both: 1) Global Pipeline library configured with caching enabled, 2) Attacker with Item/Configure permission

📦 What is this software?

Pipeline\ by Jenkins

View all CVEs affecting Pipeline\ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of Jenkins controller with attacker gaining complete control over the Jenkins instance, potentially leading to lateral movement, data exfiltration, and deployment of persistent backdoors.

🟠

Likely Case

Unauthorized code execution allowing attackers to steal credentials, modify build processes, access sensitive configuration data, and compromise connected systems.

🟢

If Mitigated

Limited impact if proper access controls restrict Item/Configure permissions and network segmentation isolates Jenkins from critical systems.

🌐 Internet-Facing: HIGH - Jenkins instances exposed to the internet with vulnerable configurations are prime targets for exploitation.

🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts with Item/Configure permission can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires Item/Configure permission but is straightforward once access is obtained. Public exploit details available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 552.vd9cc05b8a2e1 and later versions

Vendor Advisory: https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2586

Restart Required: Yes

Instructions:

1. Update Jenkins to latest version. 2. Update Pipeline: Shared Groovy Libraries Plugin to version 552.vd9cc05b8a2e1 or later. 3. Restart Jenkins instance. 4. Verify plugin version in Manage Jenkins > Plugin Manager.

🔧 Temporary Workarounds

Disable caching for global Pipeline libraries

all

Prevents exploitation by removing the caching functionality that creates vulnerable directories

Navigate to Manage Jenkins > Configure System > Global Pipeline Libraries > Edit library configuration > Uncheck 'Enable caching'

Restrict Item/Configure permissions

all

Limit access to users who absolutely need Item/Configure permission

Navigate to Manage Jenkins > Configure Global Security > Authorization > Restrict permissions using Role-Based Strategy or Matrix-based security

🧯 If You Can't Patch

Implement strict access controls to limit Item/Configure permissions to trusted users only
Network segment Jenkins instances and implement firewall rules to restrict access

🔍 How to Verify

Check if Vulnerable:

Check plugin version in Manage Jenkins > Plugin Manager > Installed tab > Search for 'Pipeline: Shared Groovy Libraries'

Check Version:

curl -s http://jenkins-host/pluginManager/api/json?depth=1 | jq '.plugins[] | select(.shortName=="workflow-cps-global-lib") | .version'

Verify Fix Applied:

Verify plugin version is 552.vd9cc05b8a2e1 or later and caching is disabled if not updated

📡 Detection & Monitoring

Log Indicators:

Unusual library name patterns in Jenkins logs
Suspicious Groovy script execution
Unexpected cache directory creation

Network Indicators:

Unusual outbound connections from Jenkins controller
Suspicious HTTP requests to Jenkins API endpoints

SIEM Query:

source="jenkins.log" AND ("library" AND "cache" AND "directory") OR ("Item/Configure" AND "permission")

📊 Metadata

CVE ID: CVE-2022-25183

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Published: February 15, 2022

Last Updated: November 21, 2024

🔗 References

https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2586 Patch,Vendor Advisory
https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2586 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON