{"containers": {"cna": {"affected": [{"product": "Jenkins Pipeline: Groovy Plugin", "vendor": "Jenkins project", "versions": [{"lessThanOrEqual": "2689.v434009a_31b_f1", "status": "affected", "version": "unspecified", "versionType": "custom"}, {"status": "unaffected", "version": "2683.2687.vb_0cc3f973f06"}, {"status": "unaffected", "version": "2.94.4"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T14:21:39.109Z"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"}, {"name": "[oss-security] 20220517 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST"], "url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "jenkinsci-cert@googlegroups.com", "ID": "CVE-2022-30945", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Jenkins Pipeline: Groovy Plugin", "version": {"version_data": [{"version_affected": "<=", "version_value": "2689.v434009a_31b_f1"}, {"version_affected": "!", "version_value": "2683.2687.vb_0cc3f973f06"}, {"version_affected": "!", "version_value": "2.94.4"}]}}]}, "vendor_name": "Jenkins project"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-693: Protection Mechanism Failure"}]}]}, "references": {"reference_data": [{"name": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359", "refsource": "CONFIRM", "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"}, {"name": "[oss-security] 20220517 Multiple vulnerabilities in Jenkins plugins", "refsource": "MLIST", "url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T07:03:40.031Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"}, {"name": "[oss-security] 20220517 Multiple vulnerabilities in Jenkins plugins", "tags": ["mailing-list", "x_refsource_MLIST", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"}]}]}, "cveMetadata": {"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "assignerShortName": "jenkins", "cveId": "CVE-2022-30945", "datePublished": "2022-05-17T14:05:37", "dateReserved": "2022-05-16T00:00:00", "dateUpdated": "2024-08-03T07:03:40.031Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:pipeline\\:_groovy:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "B2F9F190-63A9-4B22-B99E-BA93EC46ED7A", "versionEndExcluding": "2689.v434009a_31b_f1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines."}, {"lang": "es", "value": "Jenkins Pipeline: Groovy Plugin versiones 2689.v434009a_31b_f1 y anteriores, permite cargar cualquier archivo fuente Groovy en el classpath de Jenkins y de los plugins de Jenkins en pipelines de sandbox"}], "id": "CVE-2022-30945", "lastModified": "2024-11-21T07:03:36.430", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 6.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.6, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 6.0, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-05-17T15:15:08.647", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2022/05/17/8"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch", "Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:0017", "cpe": "cpe:/a:redhat:openshift:4.8::el8", "package": "jenkins-2-plugins-0:4.8.1672842762-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.8", "release_date": "2023-01-12T00:00:00Z"}], "bugzilla": {"description": "plugin: Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Pipeline: Groovy Plugin", "id": "2119642", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2119642"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-552->CWE-693", "details": ["Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and Jenkins plugins in sandboxed pipelines.", "A flaw was found in Jenkins Groovy Plugin. The plugin allows pipelines to load Groovy source files. The intent is to allow Global Shared Libraries to execute without sandbox protection. The issue is that the plugin allows any Groovy source files bundled with Jenkins core and plugins to be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed. No Groovy source files were found in Jenkins core or plugins that could result in attackers executing dangerous code; hence successful exploitation is considered highly unlikely."], "name": "CVE-2022-30945", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Will not fix", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.11"}], "public_date": "2022-05-17T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2022-30945\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-30945\nhttps://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359"], "threat_severity": "Important"}