Описание
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them.
A flaw was found in the Jenkins Pipeline: Shared Groovy Libraries plugin. The Jenkins Pipeline: Shared Groovy Libraries plugin allows attackers to submit pull requests. However, the attacker cannot commit directly to the configured Source Control Management (SCM) to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even with the Pipeline configured not to trust them.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat OpenShift Container Platform 3.11 | jenkins-2-plugins | Not affected | ||
| OCP-Tools-4.12-RHEL-8 | jenkins-2-plugins | Fixed | RHSA-2023:1064 | 06.03.2023 |
| Red Hat OpenShift Container Platform 4.7 | jenkins-2-plugins | Fixed | RHSA-2022:4909 | 10.06.2022 |
| Red Hat OpenShift Container Platform 4.8 | jenkins-2-plugins | Fixed | RHSA-2023:0017 | 12.01.2023 |
| Red Hat OpenShift Container Platform 4.9 | jenkins-2-plugins | Fixed | RHSA-2022:2205 | 18.05.2022 |
Показывать по
Дополнительная информация
Статус:
EPSS
7.3 High
CVSS3
Связанные уязвимости
Jenkins Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier, except 2.21.3, allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the definition of a dynamically retrieved library in their pull request, even if the Pipeline is configured to not trust them.
Untrusted users can modify some Pipeline libraries in Jenkins Pipeline: Deprecated Groovy Libraries Plugin
EPSS
7.3 High
CVSS3