Login Sign Up

CVE-2022-25181

8.8 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes a sandbox bypass vulnerability in Jenkins Pipeline: Shared Groovy Libraries Plugin that allows attackers with Item/Configure permission to execute arbitrary code on the Jenkins controller. Attackers can achieve remote code execution by crafting malicious SCM contents when a global Pipeline library exists. This affects Jenkins administrators and users with configuration permissions.

💻 Affected Systems

Products:
  • Jenkins Pipeline: Shared Groovy Libraries Plugin
Versions: 552.vd9cc05b8a2e1 and earlier
Operating Systems: All platforms running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Item/Configure permission and an existing global Pipeline library to be exploitable.

📦 What is this software?

Pipeline\ by Jenkins

View all CVEs affecting Pipeline\ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Jenkins controller with full system access, allowing lateral movement, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Unauthorized code execution leading to credential theft, pipeline manipulation, and deployment of malicious artifacts.

🟢

If Mitigated

Limited impact if proper access controls restrict Item/Configure permissions and network segmentation isolates Jenkins.

🌐 Internet-Facing: HIGH - Jenkins instances exposed to the internet are prime targets for exploitation.
🏢 Internal Only: MEDIUM - Internal attackers with appropriate permissions can still exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access with Item/Configure permission. Public exploit details exist in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 552.vd9cc05b8a2e1 and later versions

Vendor Advisory: https://www.jenkins.io/security/advisory/2022-02-15/#SECURITY-2441

Restart Required: Yes

Instructions:

1. Update Jenkins Pipeline: Shared Groovy Libraries Plugin to version 552.vd9cc05b8a2e1 or later. 2. Restart Jenkins instance. 3. Verify plugin version in Jenkins plugin manager.

🔧 Temporary Workarounds

Restrict Item/Configure Permissions

all

Limit users with Item/Configure permission to trusted administrators only.

Remove Global Pipeline Libraries

all

Temporarily remove or disable global Pipeline libraries if not required.

🧯 If You Can't Patch

  • Implement strict access controls to limit Item/Configure permissions to essential personnel only.
  • Network segment Jenkins controller to restrict lateral movement and monitor for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin manager for Pipeline: Shared Groovy Libraries Plugin version. If version is 552.vd9cc05b8a2e1 or earlier, the system is vulnerable.

Check Version:

Check via Jenkins web UI: Manage Jenkins > Manage Plugins > Installed tab, or via CLI: java -jar jenkins-cli.jar -s http://jenkins-url/ list-plugins | grep 'Pipeline: Shared Groovy Libraries'

Verify Fix Applied:

Verify plugin version is 552.vd9cc05b8a2e1 or later in Jenkins plugin manager and confirm Jenkins has been restarted.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Groovy script executions
  • Unauthorized pipeline library modifications
  • Jenkins controller process spawning unexpected child processes

Network Indicators:

  • Unexpected outbound connections from Jenkins controller
  • Suspicious SCM repository access patterns

SIEM Query:

source="jenkins.log" AND ("Groovy" OR "sandbox" OR "library") AND ("error" OR "exception" OR "unauthorized")

📊 Metadata

CVE ID: CVE-2022-25181
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: February 15, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON