Bug 2119642 (CVE-2022-30945) - CVE-2022-30945 Jenkins plugin: Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Pipeline: Groovy Plugin
Summary: CVE-2022-30945 Jenkins plugin: Sandbox bypass vulnerability through implicitl...
Alias: CVE-2022-30945
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 2119640
TreeView+ depends on / blocked
Reported: 2022-08-19 04:09 UTC by Avinash Hanwate
Modified: 2023-02-20 15:28 UTC (History)
3 users (show)

Fixed In Version: Pipeline Groovy Plugin 2692.v76b_089ccd026
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jenkins Groovy Plugin. The plugin allows pipelines to load Groovy source files. The intent is to allow Global Shared Libraries to execute without sandbox protection. The issue is that the plugin allows any Groovy source files bundled with Jenkins core and plugins to be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed. No Groovy source files were found in Jenkins core or plugins that could result in attackers executing dangerous code; hence successful exploitation is considered highly unlikely.
Clone Of:
Last Closed: 2023-01-14 17:30:40 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:0017 0 None None None 2023-01-12 16:46:57 UTC

Description Avinash Hanwate 2022-08-19 04:09:09 UTC
Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.

Comment 4 errata-xmlrpc 2023-01-12 16:46:55 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2023:0017 https://access.redhat.com/errata/RHSA-2023:0017

Comment 5 Product Security DevOps Team 2023-01-14 17:30:38 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.