GHSA-2xvx-rw9p-xgfc

Source

https://github.com/advisories/GHSA-2xvx-rw9p-xgfc

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2xvx-rw9p-xgfc/GHSA-2xvx-rw9p-xgfc.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2xvx-rw9p-xgfc

Aliases

CVE-2022-30945

Published

2022-05-18T00:00:39Z

Modified

2023-11-08T04:09:20.336605Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Jenkins Pipeline: Groovy Plugin

Details

Pipeline: Groovy Plugin allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection.

In Pipeline: Groovy Plugin 2689.v434009a31bf1 and earlier, any Groovy source files bundled with Jenkins core and plugins could be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed.

The Jenkins security team has been unable to identify any Groovy source files in Jenkins core or plugins that would allow attackers to execute dangerous code. While the severity of this issue is declared as High due to the potential impact, successful exploitation is considered very unlikely.

Pipeline: Groovy Plugin 2692.v76b_089ccd026 restricts which Groovy source files can be loaded in Pipelines.

Groovy source files in public plugins intended to be executed in sandboxed pipelines have been identified and added to an allowlist. The new extension point org.jenkinsci.plugins.workflow.cps.GroovySourceFileAllowlist allows plugins to add specific Groovy source files to that allowlist if necessary, but creation of plugin-specific Pipeline DSLs is strongly discouraged.

Database specific

{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-434",
        "CWE-552"
    ],
    "nvd_published_at": "2022-05-17T15:15:00Z",
    "github_reviewed_at": "2022-12-02T21:10:55Z",
    "severity": "HIGH"
}

References

Affected packages

Maven / org.jenkins-ci.plugins.workflow:workflow-cps

Package

Name: org.jenkins-ci.plugins.workflow:workflow-cps; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2692.v76b

Affected versions

0.*

0.1-beta-1

0.1-beta-2

0.1-beta-3

0.1-beta-4

0.1-beta-5

0.1-beta-6

0.1-beta-7

0.1-beta-8

1.*

1.0-beta-1

1.0

1.1

1.2

1.3

1.4

1.4.1

1.4.2

1.4.3-beta-1

1.4.3

1.5

1.6-alpha-1

1.6

1.7-alpha-1

1.7

1.8

1.9-beta-1

1.9

1.10-beta-1

1.10

1.10.1

1.11-beta-1

1.11-beta-2

1.11-beta-3

1.11-beta-4

1.11

1.12-beta-1

1.12-beta-2

1.12-beta-3

1.12

1.13

1.14-beta-1

1.14

1.14.1-beta-1

1.14.1

1.14.2

1.15-beta-1

1.15

2.*

2.0

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.8

2.9

2.10

2.11

2.12

2.13

2.14

2.15

2.16

2.17

2.18

2.19

2.20

2.21

2.22

2.23

2.24

2.25

2.26

2.27

2.28

2.29

2.30

2.30-stepstorage2-alpha

2.30-stepstorage2-alpha2

2.30-stepstorage4-beta

2.31

2.32

2.33

2.34

2.35

2.36

2.36.1

2.37

2.38

2.39

2.40

2.41

2.42

2.43

2.43-durability-beta-1

2.43-durability-beta-2

2.43-durability-beta-3

2.43-durability-beta-4

2.44

2.45

2.46

2.46.1

2.46.2

2.47

2.48

2.49

2.50

2.51

2.52

2.53

2.54

2.54.1

2.54.2

2.55

2.56

2.57

2.57.1

2.57.2

2.57.3

2.58-beta-1

2.58

2.59

2.60

2.61

2.61.1

2.61.2

2.61.3

2.62

2.63

2.64

2.65

2.66

2.66.1

2.67

2.68

2.69

2.70

2.71

2.72

2.73

2.74

2.74.1

2.75

2.76

2.77

2.78

2.79

2.80

2.81

2.82

2.83

2.84

2.85

2.86

2.87

2.88

2.89

2.90

2.91

2.92

2.92.1

2.93

2.94

2.94.1

2.94.4

2633.*

2633.v6baeedc13805

2640.*

2640.v00e79c8113de

2644.*

2644.v29a793dac95a

2646.*

2646.v6ed3b5b01ff1

2648.*

2648.va9433432b33c

2648.2651.v230593e03e9f

2656.*

2656.vf7a_e7b_75a_457

2659.*

2659.v52d3de6044d0

2660.*

2660.vb_c0412dc4e6d

2660.2664.v4c114e93f4c1

2680.*

2680.vf642ed4fa_d55

2682.*

2682.va_473dcddc941

2683.*

2683.vd0a_8f6a_1c263

2683.2687.vb_0cc3f973f06

2686.*

2686.v7c37e0578401

2687.*

2687.v3f09155513c1

2688.*

2688.v39a_b_e5c49a_65

2689.*

2689.v434009a_31b_f1

Database specific

last_known_affected_version_range

"<= 2689.v434009a"

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2xvx-rw9p-xgfc/GHSA-2xvx-rw9p-xgfc.json"