Pipeline: Shared Groovy Libraries Plugin 552.vd9cc05b8a2e1 and earlier uses the names of Pipeline libraries to create cache directories without any sanitization. This allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM using specially crafted library names if a global Pipeline library configured to use caching already exists. References: https://www.jenkins.io/security/advisory/2022-02-15/
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.10 Via RHSA-2022:1025 https://access.redhat.com/errata/RHSA-2022:1025
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.9 Via RHSA-2022:1021 https://access.redhat.com/errata/RHSA-2022:1021
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-25183
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.7 Via RHSA-2022:1248 https://access.redhat.com/errata/RHSA-2022:1248
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 3.11 Via RHSA-2022:1420 https://access.redhat.com/errata/RHSA-2022:1420
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.6 Via RHSA-2022:1620 https://access.redhat.com/errata/RHSA-2022:1620