Pipeline: Multibranch 706.vd43c65dec013 and earlier uses the same checkout directories for distinct SCMs for the readTrusted step. This allows attackers with Item/Configure permission to invoke arbitrary OS commands on the controller through crafted SCM contents. References: https://www.jenkins.io/security/advisory/2022-02-15/
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:1025 https://access.redhat.com/errata/RHSA-2022:1025
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2022:1021 https://access.redhat.com/errata/RHSA-2022:1021
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-25175
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:1248 https://access.redhat.com/errata/RHSA-2022:1248
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2022:1420 https://access.redhat.com/errata/RHSA-2022:1420
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2022:1620 https://access.redhat.com/errata/RHSA-2022:1620