CVE-2022-30949: Path traversal in Jenkins REPO Plugin

May 18, 2022 (updated June 2, 2022)

Jenkins REPO Plugin 1.14.0 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller’s file system using local paths as SCM URLs, obtaining limited information about other projects’ SCM contents.

References

www.openwall.com/lists/oss-security/2022/05/17/8
github.com/advisories/GHSA-8vfc-fcr2-47pj
github.com/jenkinsci/repo-plugin/commit/8c9cbb88baffc64d1b63183235eb86c773108235
nvd.nist.gov/vuln/detail/CVE-2022-30949
www.jenkins.io/security/advisory/2022-05-17/

Code Behaviors & Features

Detect and mitigate CVE-2022-30949 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →