CVE-2022-29047
First published: Tue Apr 12 2022(Updated: )
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <2-plugins-0:4.12.1675702407-1.el8 | 2-plugins-0:4.12.1675702407-1.el8 |
| redhat/jenkins | <2-plugins-0:4.7.1652967082-1.el8 | 2-plugins-0:4.7.1652967082-1.el8 |
| redhat/jenkins | <2-plugins-0:4.8.1672842762-1.el8 | 2-plugins-0:4.8.1672842762-1.el8 |
| redhat/jenkins | <2-plugins-0:4.9.1651754460-1.el8 | 2-plugins-0:4.9.1651754460-1.el8 |
| Jenkins Pipeline\ | <2.21.3 | |
| Jenkins Pipeline\ | >=544.vff04fa68714d<566.vd0a_a_3334a_555 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951
- https://access.redhat.com/errata/RHSA-2022:2205
- https://access.redhat.com/security/cve/cve-2022-29047
- https://access.redhat.com/errata/RHSA-2022:4909
- https://access.redhat.com/errata/RHSA-2023:0017
- https://access.redhat.com/errata/RHSA-2023:1064
- https://bugzilla.redhat.com/show_bug.cgi?id=2074855
- https://www.cve.org/CVERecord?id=CVE-2022-29047 https://nvd.nist.gov/vuln/detail/CVE-2022-29047 https://www.jenkins.io/security/advisory/2022-04-12/#SECURITY-1951
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2022-29047?
CVE-2022-29047 is classified as a medium severity vulnerability that affects Jenkins Pipeline: Shared Groovy Libraries Plugin.
How do I fix CVE-2022-29047?
To fix CVE-2022-29047, upgrade to Jenkins Pipeline: Shared Groovy Libraries Plugin version 2.21.3 or later.
Who is affected by CVE-2022-29047?
CVE-2022-29047 affects users of the Jenkins Pipeline: Shared Groovy Libraries Plugin version 564.ve62a_4eb_b_e039 and earlier.
What types of issues does CVE-2022-29047 cause?
CVE-2022-29047 allows unauthorized modification of pipeline behavior through pull requests.
Is there a workaround for CVE-2022-29047?
There is no official workaround for CVE-2022-29047; upgrading to the fixed version is strongly recommended.
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-api
- agent/author
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/weakness
- agent/references
- agent/severity
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-29047
- agent/software-canonical-lookup
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/trending
- agent/tags
- agent/source
- package-manager/redhat
- vendor/jenkins
- canonical/jenkins pipeline\
- version/jenkins pipeline\/544.vff04fa68714d