{"id":"CVE-2026-48921","details":"Jenkins Pipeline: Groovy Libraries Plugin 797.v90ea_a_9b_e45a_0 and earlier does not prohibit symbolic links in shared libraries, allowing attackers able to control the content of a library used by a Pipeline job to read arbitrary files on the Jenkins controller filesystem.","aliases":["GHSA-qjq3-wqj5-g37q"],"modified":"2026-07-15T06:10:17.430179Z","published":"2026-05-27T15:16:31.747Z","references":[{"type":"ADVISORY","url":"https://www.jenkins.io/security/advisory/2026-05-27/#SECURITY-3727"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jenkinsci/pipeline-groovy-lib-plugin","events":[{"introduced":"0"},{"fixed":"5cc688825312c805c93cadd0b61c42cdbf45f61f"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:jenkins:pipeline\\:_groovy_libraries:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0"},{"fixed":"798.v5cc688825312"}]}}],"versions":["797.v90ea_a_9b_e45a_0","787.ve2fef0efdca_6","776.vfee5327b_b_a_5b_","766.v2b_e08c2e6ff2","763.v13008816b_de7","752.vdddedf804e72","751.v709f84f7d768","749.v70084559234a_","745.vdf6077913de0","744.v5b_556ee7c253","740.va_2701257fe8d","730.ve57b_34648c63","727.ve832a_9244dfa_","710.v4b_94b_077a_808","704.vc58b_8890a_384","700.v0e341fa_57d53","689.veec561a_dee13","687.v62591d623759","685.v8ee9ed91d574","673.vb_c5d5948283c","671.v07c339c842e8","656.va_a_ceeb_6ffb_f7","629.vb_5627b_ee2104","621.vb_44ce045b_582","613.v9c41a_160233f","612.v84da_9c54906d","593.va_a_fc25d520e9","598.vcd66b_a_336510","591.v3a_7f422b_d058","589.vb_a_b_4a_a_8c443c"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48921.json","vanir_signatures_modified":"2026-07-15T06:10:17Z","vanir_signatures":[{"target":{"file":"src/main/java/org/jenkinsci/plugins/workflow/libs/SCMBasedRetriever.java","function":"doRetrieve"},"deprecated":false,"digest":{"length":3980,"function_hash":"72656283845224301365310572096345427899"},"id":"CVE-2026-48921-2d3976b7","signature_type":"Function","signature_version":"v1","source":"https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f"},{"id":"CVE-2026-48921-548fb0d0","signature_type":"Line","signature_version":"v1","source":"https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f","target":{"file":"src/test/java/org/jenkinsci/plugins/workflow/libs/SCMSourceRetrieverTest.java"},"deprecated":false,"digest":{"line_hashes":["251979580115318692229218899962687648778","174998602760317192040151353164042922787","88195518546502241173675227681388088713","154527407684054825527926744227986417248","103130227761527551167557635145230382077","122166725084250685294658455587807955919","247527537563805095468574862494952666897","2911532029258497559364649457357432427","292617559636662682115880908568957697529","257697839725486107349119268159641727836","249748238905822826680902554433092891693","301330057814195189920393384042041120655","115110573693560218960484084620930363333"],"threshold":0.9}},{"source":"https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f","target":{"file":"src/test/java/org/jenkinsci/plugins/workflow/libs/ResourceStepTest.java"},"deprecated":false,"digest":{"threshold":0.9,"line_hashes":["215937122373796502109191090231335485637","46914635653444291413639397216790752478","109123133880426082159907658234270545242","319231720322609567832271823391192995748"]},"id":"CVE-2026-48921-59651ceb","signature_type":"Line","signature_version":"v1"},{"target":{"file":"src/test/java/org/jenkinsci/plugins/workflow/libs/ResourceStepTest.java","function":"symlinksInLibraryResourcesAreNotAllowedToEscapeWorkspaceContext"},"deprecated":false,"digest":{"length":1143,"function_hash":"262427193025924656186401405481482339666"},"id":"CVE-2026-48921-61a22995","signature_type":"Function","signature_version":"v1","source":"https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f"},{"signature_version":"v1","source":"https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f","target":{"file":"src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryAdder.java","function":"retrieve"},"deprecated":false,"digest":{"function_hash":"62380524346465266434943186139516761548","length":3672},"id":"CVE-2026-48921-70b78246","signature_type":"Function"},{"deprecated":false,"digest":{"line_hashes":["60662566486544379435341622630030831311","187832888546101599058657129020576564408","337652553324878761854784438942634422758","62250684697871037299317247947736883245","97519431344735015928937021410740131493","308833712860095179650833958774660384536","35491868682322131630027765155179054267","329418057557900408003709734989706799379"],"threshold":0.9},"id":"CVE-2026-48921-a7842a01","signature_type":"Line","signature_version":"v1","source":"https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f","target":{"file":"src/main/java/org/jenkinsci/plugins/workflow/libs/LibraryAdder.java"}},{"source":"https://github.com/jenkinsci/pipeline-groovy-lib-plugin/commit/5cc688825312c805c93cadd0b61c42cdbf45f61f","target":{"file":"src/main/java/org/jenkinsci/plugins/workflow/libs/SCMBasedRetriever.java"},"deprecated":false,"digest":{"line_hashes":["140358151189412432502161373531137462280","313006434286295430871162023259870558341","116965373023178036325345523943501072199","174012181602255372481603887611415911943","151698437681026150919613016885079515193","25991861100952883382001140085644960093","272205592973470567086003009887811002051","321192353035999880943423934767185693186","335686708531239172395992492277289658567","329963945152930438478869758782656414947","108712305264454434216805754402809302544","332239236242080749220241827485691247992","274229069181856472620183768051795938726","8376996099183153766262120323856755825","326059997309244637837587532572144558116"],"threshold":0.9},"id":"CVE-2026-48921-c1cc94e5","signature_type":"Line","signature_version":"v1"}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}