#VU63358 Security features bypass in Pipeline: Groovy - CVE-2022-30945

Cybersecurity Help s.r.o.

Published: 2022-05-18

Vulnerability identifier: #VU63358

Vulnerability risk: Medium

CVSSv4.0: 5.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-30945

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pipeline: Groovy
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to compromise the system.

The vulnerability exists due to the sandbox bypass issue through implicitly allowlisted platform Groovy files. A remote user can bypass sandbox protections.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Pipeline: Groovy: 2689.v434009a_31b_f1

External links
https://jenkins.io/security/advisory/2022-05-17/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in OpenShift Container Platform 4.8

Security features bypass in Jenkins Pipeline: Groovy plugin