CVE-2022-30949: 
Java vulnerability analysis and mitigation

Jenkins REPO Plugin 1.14.0 and earlier contains a security vulnerability (CVE-2022-30949) discovered and disclosed on May 17, 2022. The vulnerability affects the REPO Plugin's SCM functionality, specifically in how it handles local file system paths when checking out repositories (Jenkins Advisory).

The vulnerability is classified with a Low severity CVSS score. The issue stems from the plugin's handling of different URL schemes, particularly local file system paths (using file: URLs). While historically Jenkins agents performed SCM checkouts, certain Pipeline-related features also perform checkouts from the Jenkins controller. This implementation allows attackers with pipeline configuration capabilities to access repositories stored on the Jenkins controller's file system using local paths as SCM URLs (Jenkins Advisory).

The vulnerability allows attackers with pipeline configuration access to obtain limited information about other projects' SCM contents by accessing repositories stored on the Jenkins controller's file system (Jenkins Advisory).

The vulnerability has been fixed in REPO Plugin version 1.15.0, which rejects local file paths being checked out on the controller. Users should upgrade to this version to mitigate the vulnerability (Jenkins Advisory).