CVE-2022-29047 — Incorrect Authorization in Jenkins Pipeline

CWE-863 — Incorrect Authorization CWE-288 — Authentication Bypass Using an Alternate Path or Channel6 documents6 sources

Severity

5.3MEDIUMNVD

EPSS

0.1%

top 79.99%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Pipeline Jenkins Project Jenkins Pipeline Shared Groovy Libraries Plugin

Timeline

PublishedApr 12

Latest updateApr 13

Description

Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_pipeline_shared_groovy_libraries_pluginunspecified — 564.ve62a_4eb_b_e039

▶NVDjenkins/pipeline544.vff04fa68714d — 566.vd0a_a_3334a_555+1

🔴Vulnerability Details

GHSA

Untrusted users can modify some Pipeline libraries in Jenkins Pipeline: Deprecated Groovy Libraries Plugin↗2022-04-13

▶

OSV

Untrusted users can modify some Pipeline libraries in Jenkins Pipeline: Deprecated Groovy Libraries Plugin↗2022-04-13

▶

CVEList

CVE-2022-29047: Jenkins Pipeline: Shared Groovy Libraries Plugin 564↗2022-04-12

▶

📋Vendor Advisories

Red Hat

Libraries: Untrusted users can modify some Pipeline libraries in Pipeline Shared Groovy Libraries Plugin↗2022-04-12

▶

Jenkins

Jenkins Security Advisory 2022-04-12↗2022-04-12

▶