CVE-2022-29047
Aliases:GHSA-hh6f-6fp5-gfpv
Advisory lineage Upstream: 0 Downstream: 4
Modified
Published: 12 Apr 2022, 19:50
Last modified:20 Nov 2024, 15:35
Vulnerability Summary
Overall Risk (default)
low
21/100 CVSS Score
5.3 MEDIUM
v3.1 (nvd)
EPSS Score
0.08% LOW
0% probability -0.17%
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
12 Apr 2022, 19:50
Published
Vulnerability first disclosed
20 Nov 2024, 15:35
Last Modified
Vulnerability information updated
Description
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them.
CVSS Metrics
- v3.1•MEDIUM•Score: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
- v3.1•HIGH•Score: 7.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- v2.0•MEDIUM•Score: 5AV:N/AC:L/Au:N/C:N/I:P/A:N
EPSS Trends
Current EPSS score: 0.08%• Percentile: 24%
Techniques & Countermeasures
- CWE-863•Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
Affected Systems
- jenkins project•jenkins pipeline: shared groovy libraries plugin
≥ unspecified, ≤ 564.ve62a_4eb_b_e039
- org.jenkins-ci.plugins.workflow•workflow-cps-global-lib
< 2.21.3 | ≥ 544.vff04fa68714d, < 566.vd0a
References (4)
- https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951
- https://nvd.nist.gov/vuln/detail/CVE-2022-29047
- https://github.com/jenkinsci/workflow-cps-global-lib-plugin/commit/97bf32458e60ad252cfe5e7949bacf04459cee64
- https://github.com/jenkinsci/workflow-cps-global-lib-plugin/commit/bae59b46cb524549d7f346ba73d3161804c97331