Login Sign Up

CVE-2022-30945

8.5 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Jenkins Pipeline: Groovy Plugin allows attackers in sandboxed pipelines to load arbitrary Groovy source files from the Jenkins classpath, bypassing sandbox restrictions. It affects Jenkins instances with the vulnerable plugin version, potentially enabling remote code execution. Users of Jenkins with Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier are affected.

💻 Affected Systems

Products:
  • Jenkins Pipeline: Groovy Plugin
Versions: 2689.v434009a_31b_f1 and earlier
Operating Systems: All platforms running Jenkins
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Jenkins with Pipeline functionality enabled and the vulnerable plugin version. Sandboxed pipelines are affected.

📦 What is this software?

Pipeline\ by Jenkins

View all CVEs affecting Pipeline\ →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full remote code execution on the Jenkins controller, allowing complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Unauthorized code execution within Jenkins pipelines, enabling privilege escalation, credential theft, and manipulation of Jenkins jobs and configurations.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege access, and monitoring are implemented, though sandbox bypass remains possible.

🌐 Internet-Facing: HIGH - Jenkins instances exposed to the internet are directly vulnerable to exploitation attempts.
🏢 Internal Only: MEDIUM - Internal attackers or compromised accounts could exploit this, but requires some level of access to Jenkins.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires some Jenkins pipeline access. Proof-of-concept code is publicly available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2689.v434009a_31b_f2 and later

Vendor Advisory: https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359

Restart Required: Yes

Instructions:

1. Update Jenkins Pipeline: Groovy Plugin to version 2689.v434009a_31b_f2 or later via Jenkins Plugin Manager. 2. Restart Jenkins to apply the update.

🔧 Temporary Workarounds

Disable Groovy Sandbox

all

Disable the Groovy sandbox feature in Jenkins, though this reduces security for legitimate pipelines.

Navigate to Jenkins > Manage Jenkins > In-process Script Approval > Configure and disable sandbox

🧯 If You Can't Patch

  • Restrict pipeline creation and execution to trusted users only.
  • Implement network segmentation to isolate Jenkins from critical systems.

🔍 How to Verify

Check if Vulnerable:

Check Jenkins plugin version: Navigate to Manage Jenkins > Manage Plugins > Installed tab, find 'Pipeline: Groovy Plugin' and verify version is 2689.v434009a_31b_f1 or earlier.

Check Version:

On Jenkins web interface: Manage Jenkins > Manage Plugins > Installed tab

Verify Fix Applied:

Confirm plugin version is 2689.v434009a_31b_f2 or later in the Installed plugins list after update.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Groovy file loading in pipeline logs
  • Suspicious pipeline executions from untrusted users

Network Indicators:

  • Unexpected outbound connections from Jenkins controller

SIEM Query:

source="jenkins.log" AND ("Groovy" AND "sandbox" AND "bypass")

📊 Metadata

CVE ID: CVE-2022-30945
CVSS v3 Score: 8.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
Published: May 17, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON