CVE-2022-30948

Jenkins Mercurial Plugin 2.16 and earlier allows attackers able to configure pipelines to check out some SCM repositories stored on the Jenkins controller's file system using local paths as SCM URLs, obtaining limited information about other projects' SCM contents.

Published: May 17, 2022
Updated: May 9, 2024
CVE: CVE-2022-30948
GHSA: GHSA-5786-3qjg-mr88
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-22

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
org.jenkins-ci.plugins / mercurial	-	2.16.1
jenkins / mercurial	-	2.16.1

http://www.openwall.com/lists/oss-security/2022/05/17/8
https://github.com/jenkinsci/mercurial-plugin/commit/b995436e560b01818f5d9e9920990370cc575341
https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2478

Vulnerability Database

289,697

CVE-2022-30948