Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2022-29047

Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them.

Published

2022-04-12T20:15:09.613

Last Modified

2024-11-21T06:58:24.233

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.3 (MEDIUM)

CVSSv2 Vector

AV:N/AC:L/Au:N/C:N/I:P/A:N

Access Vector: NETWORK
Access Complexity: LOW
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Exploitability Score

10.0

Impact Score

2.9

Weaknesses

Type: Primary
CWE-863

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	jenkins	pipeline\	< 2.21.3	Yes
Application	jenkins	pipeline\	< 566.vd0a_a_3334a_555	Yes

References

https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951 Vendor Advisory ([email protected])
https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951 Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)