CVE-2022-29047

Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:jenkins:pipeline\:_shared_groovy_libraries:*:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:pipeline\:_shared_groovy_libraries:*:*:*:*:*:jenkins:*:*

History

20 Apr 2022, 18:54

Type Values Removed Values Added
CPE cpe:2.3:a:jenkins:pipeline\:_shared_groovy_libraries:*:*:*:*:*:jenkins:*:*
References (CONFIRM) https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951 - (CONFIRM) https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951 - Vendor Advisory
CVSS v2 : unknown
v3 : unknown
v2 : 5.0
v3 : 5.3
CWE CWE-863

12 Apr 2022, 20:15

Type Values Removed Values Added
New CVE

Information

Published : 2022-04-12 20:15

Updated : 2024-02-04 22:29


NVD link : CVE-2022-29047

Mitre link : CVE-2022-29047

CVE.ORG link : CVE-2022-29047


JSON object : View

Products Affected

jenkins

  • pipeline\
CWE
CWE-863

Incorrect Authorization