CVE-2022-25181: 
Java vulnerability analysis and mitigation

A sandbox bypass vulnerability (CVE-2022-25181) was discovered in Jenkins Pipeline: Shared Groovy Libraries Plugin version 552.vd9cc05b8a2e1 and earlier. The vulnerability was disclosed on February 15, 2022, affecting the Jenkins Pipeline plugin system. This high-severity vulnerability allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM through crafted SCM contents, if a global Pipeline library already exists (Jenkins Advisory).

The vulnerability stems from the Pipeline: Deprecated Groovy Libraries Plugin using the same workspace directory for all checkouts of Pipeline libraries with the same name, regardless of the SCM being used and the source of the library configuration. The vulnerability has a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

When exploited, this vulnerability allows attackers with Item/Configure permission to execute arbitrary code in the context of the Jenkins controller JVM. The attack is possible when a global Pipeline library already exists, potentially leading to complete system compromise (Jenkins Advisory).

The vulnerability has been fixed in Pipeline: Deprecated Groovy Libraries Plugin version 561.va_ce0de3c2d69, which implements distinct checkout directories per SCM for Pipeline libraries. Users are strongly advised to upgrade to this version or later to address the security issue (Jenkins Advisory).