VulnerableCode Package Details - pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps@2648.2651.v230593e03e9f

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-jj9c-e7k7-aqea	Improper Link Resolution Before File Access ('Link Following') Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.	CVE-2022-25176 GHSA-6473-gqrj-4p65
VCID-m4y6-523t-v7ft	Insufficiently Protected Credentials Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds, allowing attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline.	CVE-2022-25180 GHSA-qv6q-x9vr-w7j3
VCID-x5nw-w14p-juas	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.	CVE-2022-25173 GHSA-4m7p-55jm-3vwv

Vulnerability

Summary

Aliases

VCID-jj9c-e7k7-aqea

Improper Link Resolution Before File Access ('Link Following') Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system.

CVE-2022-25176
GHSA-6473-gqrj-4p65

VCID-m4y6-523t-v7ft

Insufficiently Protected Credentials Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds, allowing attackers with Run/Replay permission to obtain the values of password parameters passed to previous builds of a Pipeline.

CVE-2022-25180
GHSA-qv6q-x9vr-w7j3

VCID-x5nw-w14p-juas

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents.

CVE-2022-25173
GHSA-4m7p-55jm-3vwv

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T15:59:56.296739+00:00	GHSA Importer	Fixing	VCID-jj9c-e7k7-aqea	https://github.com/advisories/GHSA-6473-gqrj-4p65	38.0.0
2026-04-01T13:06:20.579343+00:00	GithubOSV Importer	Fixing	VCID-jj9c-e7k7-aqea	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-6473-gqrj-4p65/GHSA-6473-gqrj-4p65.json	38.0.0
2026-04-01T12:49:35.269897+00:00	GitLab Importer	Fixing	VCID-m4y6-523t-v7ft	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins.workflow/workflow-cps/CVE-2022-25180.yml	38.0.0
2026-04-01T12:49:35.113646+00:00	GitLab Importer	Fixing	VCID-jj9c-e7k7-aqea	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins.workflow/workflow-cps/CVE-2022-25176.yml	38.0.0
2026-04-01T12:49:34.778678+00:00	GitLab Importer	Fixing	VCID-x5nw-w14p-juas	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins.workflow/workflow-cps/CVE-2022-25173.yml	38.0.0