GHSA-hh6f-6fp5-gfpv

Suggest an improvement
Source
https://github.com/advisories/GHSA-hh6f-6fp5-gfpv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/04/GHSA-hh6f-6fp5-gfpv/GHSA-hh6f-6fp5-gfpv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hh6f-6fp5-gfpv
Aliases
  • CVE-2022-29047
Published
2022-04-13T00:00:17Z
Modified
2023-11-08T04:09:07.458812Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
Summary
Untrusted users can modify some Pipeline libraries in Jenkins Pipeline: Deprecated Groovy Libraries Plugin
Details

Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline definition. In that case, Jenkins will just use the Pipeline definition in the pull request’s destination branch instead.

In Pipeline: Deprecated Groovy Libraries Plugin 564.ve62a4ebb_e039 and earlier the same protection does not apply to uses of the library step with a retriever argument pointing to a library in the current build’s repository and branch (e.g., library(…, retriever: legacySCM(scm))). This allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the library behavior in their pull request, even if the Pipeline is configured to not trust them.

Pipeline: Deprecated Groovy Libraries Plugin 566.vd0aa3334a_555 and 2.21.3 aborts library retrieval if the library would be retrieved from the same repository and revision as the current build, and the revision being built is untrusted.

Database specific
{
    "nvd_published_at": "2022-04-12T20:15:00Z",
    "github_reviewed_at": "2022-12-02T21:35:05Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-863"
    ]
}
References

Affected packages

Maven / org.jenkins-ci.plugins.workflow:workflow-cps-global-lib

Package

Name
org.jenkins-ci.plugins.workflow:workflow-cps-global-lib
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-global-lib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.21.3

Affected versions

0.*

0.1-beta-5
0.1-beta-6
0.1-beta-7
0.1-beta-8

1.*

1.0-beta-1
1.0
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.4.3-beta-1
1.4.3
1.5
1.6-alpha-1
1.6
1.7-alpha-1
1.7
1.8
1.9-beta-1
1.9
1.10-beta-1
1.10
1.10.1
1.11-beta-1
1.11-beta-2
1.11-beta-3
1.11-beta-4
1.11
1.12-beta-1
1.12-beta-2
1.12-beta-3
1.12
1.13
1.14-beta-1
1.14
1.14.1-beta-1
1.14.1
1.14.2
1.15-beta-1
1.15

2.*

2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.12
2.12.1
2.13
2.13.1
2.14
2.15
2.16
2.17
2.18
2.18.1
2.19
2.20
2.21
2.21.1

Maven / org.jenkins-ci.plugins.workflow:workflow-cps-global-lib

Package

Name
org.jenkins-ci.plugins.workflow:workflow-cps-global-lib
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-global-lib

Affected ranges

Type
ECOSYSTEM
Events
Introduced
544.vff04fa68714d
Fixed
566.vd0a

Affected versions

544.*

544.vff04fa68714d

545.*

545.v7b28cce323cf

548.*

548.v9085a486966a

552.*

552.vd9cc05b8a2e1
552.554.vdba55efb9e88

561.*

561.va_ce0de3c2d69

564.*

564.ve62a_4eb_b_e039

Database specific

{
    "last_known_affected_version_range": "<= 564.ve62a"
}