CVE-2022-30950
📋 TL;DR
CVE-2022-30950 is a buffer overflow vulnerability in Jenkins WMI Windows Agents Plugin 1.8 and earlier that allows authenticated users who can connect to a named pipe to execute arbitrary commands on Windows agent machines. This affects Jenkins installations using the vulnerable plugin with Windows agents. The vulnerability stems from improper bounds checking in the Windows Remote Command library.
💻 Affected Systems
- Jenkins WMI Windows Agents Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution with SYSTEM privileges on Windows agent machines, leading to complete compromise of the agent system and potential lateral movement within the network.
Likely Case
Authenticated Jenkins users with agent connection permissions can execute arbitrary commands on Windows agents, potentially gaining control over those systems.
If Mitigated
With proper access controls and network segmentation, impact is limited to authorized users within the Jenkins environment.
🎯 Exploit Status
Exploitation requires authenticated access to Jenkins and ability to connect to the named pipe used by the plugin.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9
Vendor Advisory: https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-2604
Restart Required: Yes
Instructions:
1. Update Jenkins WMI Windows Agents Plugin to version 1.9 or later via Jenkins Plugin Manager. 2. Restart Jenkins and affected agents. 3. Verify plugin version is 1.9+.
🔧 Temporary Workarounds
Disable WMI Windows Agents Plugin
allTemporarily disable the vulnerable plugin if immediate patching is not possible
Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab > Find 'WMI Windows Agents Plugin' > Uncheck 'Enabled'
Restrict Named Pipe Access
windowsLimit access to the named pipe used by the plugin through Windows security settings
Use Windows Security Policy to restrict access to \\.\pipe\jenkins-wmi-agent pipe
🧯 If You Can't Patch
- Implement strict access controls to limit which users can connect to Jenkins agents
- Segment Jenkins agent network to prevent lateral movement if exploitation occurs
🔍 How to Verify
Check if Vulnerable:
Check Jenkins plugin manager for WMI Windows Agents Plugin version. If version is 1.8 or earlier, system is vulnerable.Check Version:
Navigate to Jenkins > Manage Jenkins > Manage Plugins > Installed tab > Find 'WMI Windows Agents Plugin'Verify Fix Applied:
Verify plugin version is 1.9 or later in Jenkins Plugin Manager under Installed plugins.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns on Windows agents
- Multiple failed named pipe connection attempts
- Suspicious process creation from Jenkins agent service
Network Indicators:
- Unexpected outbound connections from Windows agents
- Unusual traffic patterns to/from Jenkins agent ports
SIEM Query:
source="jenkins.log" AND "WMI" AND ("error" OR "exception" OR "buffer")