Search for vulnerabilities
| Vulnerability ID | VCID-jj9c-e7k7-aqea |
| Aliases |
CVE-2022-25176
GHSA-6473-gqrj-4p65 |
| Summary | Improper Link Resolution Before File Access ('Link Following') Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for the configured SCM when reading the script file (typically Jenkinsfile) for Pipelines, allowing attackers able to configure Pipelines to read arbitrary files on the Jenkins controller file system. |
| Status | Published |
| Exploitability | 0.5 |
| Weighted Severity | 6.2 |
| Risk | 3.1 |
| Affected and Fixed Packages | Package Details |
| Reference id | Reference type | URL |
|---|---|---|
| https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-25176.json | ||
| https://api.first.org/data/v1/epss?cve=CVE-2022-25176 | ||
| https://github.com/jenkinsci/workflow-cps-plugin | ||
| https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2613 | ||
| 2055787 | https://bugzilla.redhat.com/show_bug.cgi?id=2055787 | |
| CVE-2022-25176 | https://nvd.nist.gov/vuln/detail/CVE-2022-25176 | |
| GHSA-6473-gqrj-4p65 | https://github.com/advisories/GHSA-6473-gqrj-4p65 | |
| RHSA-2022:0871 | https://access.redhat.com/errata/RHSA-2022:0871 | |
| RHSA-2022:1021 | https://access.redhat.com/errata/RHSA-2022:1021 | |
| RHSA-2022:1025 | https://access.redhat.com/errata/RHSA-2022:1025 | |
| RHSA-2022:1248 | https://access.redhat.com/errata/RHSA-2022:1248 | |
| RHSA-2022:1420 | https://access.redhat.com/errata/RHSA-2022:1420 | |
| RHSA-2022:1620 | https://access.redhat.com/errata/RHSA-2022:1620 |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Privileges Required (PR) | User Interaction (UI) | Scope (S) | Confidentiality Impact (C) | Integrity Impact (I) | Availability Impact (A) |
|---|---|---|---|---|---|---|---|
network adjacent_network local physical |
low high |
none low high |
none required |
unchanged changed |
high low none |
high low none |
high low none |
| Percentile | 0.70545 |
| EPSS Score | 0.00642 |
| Published At | April 2, 2026, 12:55 p.m. |
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-04-01T12:49:35.105338+00:00 | GitLab Importer | Import | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins.workflow/workflow-cps/CVE-2022-25176.yml | 38.0.0 |