Git releases with critical vulnerabilities on CloudBees CI Docker images
SECURITY-3039 / CVE-2022-23521 and CVE-2022-41903
Severity (CVSS): Critical
CloudBees provides Docker images for CloudBees CI platform. These Docker images include the
git command line tool to interact with Git repositories.
Git releases published before 2023-01-17 are affected by the vulnerabilities CVE-2022-23521 and CVE-2022-41903. In the context of CloudBees CI, the former vulnerability could be exploited through crafted repository contents, allowing an attacker with commit access to a Git repository cloned on a controller or agent to achieve remote code execution.
Building software is the primary use case for CloudBees CI. To accomplish that, CloudBees CI invokes build scripts containing user-specified code, usually retrieved from an SCM like Git. As a result, this vulnerability only has a real impact in very narrow circumstances: when attackers can control repository contents, but are unable to change build steps, Jenkinsfiles, test code that gets executed by CloudBees CI, or similar.
A new version of these images with the proper Git 2.31.1-3 has been released.
CloudBees Traditional Platforms should be upgraded to 2.375.3.4
CloudBees Cloud Platforms should be upgraded to 2.375.3.4
CloudBees Jenkins Platform (fixed train, CJP Operations Center and CJP Client Master (2.346.x.0.z)) should be upgraded to 2.318.104.22.168
NOTE: Customers would need to update the image version in their build pod definitions