CVE-2022-30945 — Code Injection in Jenkins Pipeline

CWE-94 — Code Injection CWE-434 — Unrestricted File Upload CWE-552 — Files or Directories Accessible to External Parties6 documents6 sources

Severity

8.5HIGHNVD

EPSS

1.1%

top 21.83%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Pipeline Jenkins Project Jenkins Pipeline Groovy Plugin

Timeline

PublishedMay 17

Latest updateMay 18

Description

Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 1.8 | Impact: 6.0

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_pipeline_groovy_pluginunspecified — 2689.v434009a_31b_f1

▶NVDjenkins/pipeline< 2689.v434009a_31b_f1

Patches

Patch: www.jenkins.io ↗Patch: www.jenkins.io ↗

🔴Vulnerability Details

GHSA

Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Jenkins Pipeline: Groovy Plugin↗2022-05-18

▶

OSV

Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Jenkins Pipeline: Groovy Plugin↗2022-05-18

▶

CVEList

CVE-2022-30945: Jenkins Pipeline: Groovy Plugin 2689↗2022-05-17

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2022-05-17↗2022-05-17

▶

Red Hat

plugin: Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Pipeline: Groovy Plugin↗2022-05-17

▶