CVE-2022-29047

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Shared Groovy Libraries Plugin versions 564.ve62a 4eb b e039 and earlier, except version 2.21.3

Description The issue allows attackers who can submit pull requests, but not commit directly to the configured SCM, to change the Pipeline behavior by modifying the definition of a dynamically retrieved library in their pull request. This is possible even if the Pipeline is configured to not trust them. The vulnerability exploits the library step with a retriever argument pointing to a library in the current build's repository and branch.

Recommendations For Jenkins Pipeline: Shared Groovy Libraries Plugin versions 564.ve62a 4eb b e039 and earlier, except version 2.21.3, update to a version that includes the fix, such as Pipeline: Deprecated Groovy Libraries Plugin 566.vd0a a 3334a 555 or version 2.21.3, which aborts library retrieval if the library would be retrieved from the same repository and revision as the current build, and the revision being built is untrusted. For version 2.21.3, no additional action is required as it already includes the necessary protection. As a temporary workaround, consider restricting the use of the library step with a retriever argument to minimize the risk of exploitation.