Git releases with critical vulnerabilities on CloudBees CI Docker images
SECURITY-3039 / CVE-2022-23521 and CVE-2022-41903
Severity (CVSS): Critical
CloudBees provides Docker images for CloudBees CI platform. These Docker images include the
git command line tool to interact with Git repositories.
Git releases published before 2023-01-17 are affected by the vulnerabilities CVE-2022-23521 and CVE-2022-41903. In the context of CloudBees CI, the former vulnerability could be exploited through crafted repository contents, allowing an attacker with commit access to a Git repository cloned on a controller or agent to achieve remote code execution.
Building software is the primary use case for CloudBees CI. To accomplish that, CloudBees CI invokes build scripts containing user-specified code, usually retrieved from an SCM like Git. As a result, this vulnerability only has a real impact in very narrow circumstances: when attackers can control repository contents, but are unable to change build steps, Jenkinsfiles, test code that gets executed by CloudBees CI, or similar.
A new version of these images with the proper Git 2.31.1-3 has been released.