CVE-2022-30945
plugin: Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Pipeline: Groovy Plugin
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.
Jenkins Pipeline: Groovy Plugin versiones 2689.v434009a_31b_f1 y anteriores, permite cargar cualquier archivo fuente Groovy en el classpath de Jenkins y de los plugins de Jenkins en pipelines de sandbox
A flaw was found in Jenkins Groovy Plugin. The plugin allows pipelines to load Groovy source files. The intent is to allow Global Shared Libraries to execute without sandbox protection. The issue is that the plugin allows any Groovy source files bundled with Jenkins core and plugins to be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed. No Groovy source files were found in Jenkins core or plugins that could result in attackers executing dangerous code; hence successful exploitation is considered highly unlikely.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-05-16 CVE Reserved
- 2022-05-17 CVE Published
- 2023-12-08 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-693: Protection Mechanism Failure
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2022/05/17/8 | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359 | 2023-12-21 |
URL | Date | SRC |
---|---|---|
https://access.redhat.com/security/cve/CVE-2022-30945 | 2023-01-12 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2119642 | 2023-01-12 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Jenkins Search vendor "Jenkins" | Pipeline: Groovy Search vendor "Jenkins" for product "Pipeline: Groovy" | < 2689.v434009a_31b_f1 Search vendor "Jenkins" for product "Pipeline: Groovy" and version " < 2689.v434009a_31b_f1" | jenkins |
Affected
|