Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-h57k-wsgx-4kbr
Vulnerability ID VCID-h57k-wsgx-4kbr
Aliases CVE-2022-25179
GHSA-2m9w-9xh2-wxc3
Summary Improper Link Resolution Before File Access ('Link Following') Jenkins Pipeline: Multibranch Plugin 706.vd43c65dec013 and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading files using the readTrusted step, allowing attackers able to configure Pipelines permission to read arbitrary files on the Jenkins controller file system.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-59 Improper Link Resolution Before File Access ('Link Following')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 6.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25179.json
epss 0.01569 https://api.first.org/data/v1/epss?cve=CVE-2022-25179
epss 0.01569 https://api.first.org/data/v1/epss?cve=CVE-2022-25179
epss 0.01569 https://api.first.org/data/v1/epss?cve=CVE-2022-25179
epss 0.01569 https://api.first.org/data/v1/epss?cve=CVE-2022-25179
epss 0.01569 https://api.first.org/data/v1/epss?cve=CVE-2022-25179
epss 0.01569 https://api.first.org/data/v1/epss?cve=CVE-2022-25179
epss 0.01569 https://api.first.org/data/v1/epss?cve=CVE-2022-25179
epss 0.01569 https://api.first.org/data/v1/epss?cve=CVE-2022-25179
epss 0.01569 https://api.first.org/data/v1/epss?cve=CVE-2022-25179
epss 0.01569 https://api.first.org/data/v1/epss?cve=CVE-2022-25179
epss 0.01569 https://api.first.org/data/v1/epss?cve=CVE-2022-25179
epss 0.01569 https://api.first.org/data/v1/epss?cve=CVE-2022-25179
epss 0.01569 https://api.first.org/data/v1/epss?cve=CVE-2022-25179
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-2m9w-9xh2-wxc3
cvssv3.1 6.5 https://github.com/CVEProject/cvelist/blob/00bfb5abeecc9f553a2f42954ee540e493498ee9/2022/25xxx/CVE-2022-25179.json
generic_textual MODERATE https://github.com/CVEProject/cvelist/blob/00bfb5abeecc9f553a2f42954ee540e493498ee9/2022/25xxx/CVE-2022-25179.json
cvssv3.1 6.5 https://nvd.nist.gov/vuln/detail/CVE-2022-25179
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2022-25179
cvssv3.1 6.5 https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613
generic_textual MODERATE https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25179.json
https://api.first.org/data/v1/epss?cve=CVE-2022-25179
https://github.com/CVEProject/cvelist/blob/00bfb5abeecc9f553a2f42954ee540e493498ee9/2022/25xxx/CVE-2022-25179.json
https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613
2055792 https://bugzilla.redhat.com/show_bug.cgi?id=2055792
CVE-2022-25179 https://nvd.nist.gov/vuln/detail/CVE-2022-25179
GHSA-2m9w-9xh2-wxc3 https://github.com/advisories/GHSA-2m9w-9xh2-wxc3
RHSA-2022:0871 https://access.redhat.com/errata/RHSA-2022:0871
RHSA-2022:1021 https://access.redhat.com/errata/RHSA-2022:1021
RHSA-2022:1025 https://access.redhat.com/errata/RHSA-2022:1025
RHSA-2022:1248 https://access.redhat.com/errata/RHSA-2022:1248
RHSA-2022:1420 https://access.redhat.com/errata/RHSA-2022:1420
RHSA-2022:1620 https://access.redhat.com/errata/RHSA-2022:1620
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25179.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://github.com/CVEProject/cvelist/blob/00bfb5abeecc9f553a2f42954ee540e493498ee9/2022/25xxx/CVE-2022-25179.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2022-25179
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Found at https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.81466
EPSS Score 0.01569
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:49:35.174609+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins.workflow/workflow-multibranch/CVE-2022-25179.yml 38.0.0