CVE-2022-29047 Information

Description

Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier except 2.21.3 allows attackers able to submit pull requests (or equivalent) but not able to commit directly to the configured SCM to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request even if the Pipeline is configured to not trust them.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Reference

https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

LOW

Base Score

NONE

Base Severity

5.3