关键漏洞信息 1. OS Command Execution in Pipeline-related Plugins CVEs: SECURITY-2463, CVE-2022-25173, CVE-2022-25174, CVE-2022-25175 Severity: High Description: Multiple Pipeline-related plugins reuse the same workspace directory for checkouts of distinct SCMs in some contexts, allowing attackers with Item/Configure permission to invoke arbitrary commands. 2. Multiple Pipeline-related Plugins Allow Reading Arbitrary Files CVEs: SECURITY-2613, CVE-2022-25176, CVE-2022-25177, CVE-2022-25179 Severity: Medium Description: Plugins follow symbolic links or do not limit path names, allowing arbitrary file reads. 3. Sensitive Information Disclosure in Pipeline: Groovy Plugin CVEs: SECURITY-2443, CVE-2022-25180 Severity: Medium Description: Password parameters are included from the original build in replayed builds. 4. Sandbox Bypass Vulnerability in Pipeline: Deprecated Groovy Libraries Plugin CVEs: SECURITY-2441, CVE-2022-25181 Severity: High Description: Plugins use the same workspace directory for checkouts with the same name, allowing arbitrary code execution. 5. Stored XSS in Generic Webhook Trigger Plugin CVEs: SECURITY-2592, CVE-2022-25185 Severity: High Description: Webhook Trigger Plugin does not escape the build cause. Fix Affected Plugins and Versions: List of plugins and versions that need to be updated. Publicly Announced Vulnerabilities: Some vulnerabilities are announced publicly even without fixes. Credit Reporters: Acknowledgment of the reporters for discovering and reporting vulnerabilities. This screenshot provides a comprehensive advisory on vulnerabilities in Jenkins deliverables, detailing CVEs, severity levels, descriptions, and required fixes.