The Jenkins Pipeline: Shared Groovy Libraries Plugin provides form validation to determine whether the revision (e.g. commit, tag, or branch name) specified for a global library exists in the repository. This form validation method lacked a permission check, allowing attackers with Overall/Read access to determine whether an attacker-specified revision exists in an SCM repository configured for use in an existing shared library.
Pipeline: Shared Groovy Libraries Plugin now performs the appropriate permission check.
External References:
https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1422