This vulnerability arises because the Groovy Libraries Plugin in Jenkins Pipeline does not disallow the use of symbolic links within shared libraries. An attacker who can control the contents of such a library can create a symbolic link that points to any file on the Jenkins controller filesystem. When a Pipeline job executes with that library, the process will dereference the link and read the target file, exposing sensitive data. The resulting flaw is an information disclosure that can compromise confidentiality of configuration files, credentials, or other files accessible to the Jenkins process.

Affected systems are installations using Jenkins Pipeline with the Groovy Libraries Plugin version 797.v90ea_a_9b_e45a_0 or any earlier release. The vulnerability applies to the Pipeline component of Jenkins and is specific to that plugin; newer releases after the specified version are not affected.

The CVSS score of 7.5 indicates a high‑severity vulnerability. The vulnerability is not listed in the CISA KEV catalog and has no publicly reported EPSS score. Attackers would need to add or modify a shared library that a Pipeline job uses, which typically requires deployment pipeline privileges or the ability to commit to the library repository; based on the description, it is inferred that such an attacker could create a symbolic link that points to any file on the Jenkins controller filesystem. Once achieved, reading arbitrary files becomes trivial. Because the vulnerability does not rely on network input and requires local control, the exploitation likelihood is moderate to low depending on the organization’s pipeline governance. Nevertheless, given the potential to expose highly sensitive files, the risk to confidentiality is significant and merits immediate remediation.