CVE-2022-30945: 
Java vulnerability analysis and mitigation

CVE-2022-30945 is a high-severity sandbox bypass vulnerability discovered in Jenkins Pipeline: Groovy Plugin. The vulnerability was disclosed on May 17, 2022, affecting Pipeline: Groovy Plugin versions up to and including 2689.v434009a31bf1. The plugin allows pipelines to load Groovy source files, which was intended for Global Shared Libraries to execute without sandbox protection (Jenkins Advisory).

The vulnerability allows any Groovy source files bundled with Jenkins core and plugins to be loaded and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed. The issue has been assigned a High severity CVSS rating, though the Jenkins security team noted they were unable to identify any Groovy source files in Jenkins core or plugins that would allow attackers to execute dangerous code, making successful exploitation very unlikely (Jenkins Advisory).

If exploited, the vulnerability could potentially allow attackers to bypass sandbox protections in Jenkins pipelines. However, the actual impact is considered limited as no known Groovy source files in Jenkins core or plugins have been identified that would enable the execution of dangerous code (Jenkins Advisory).

The vulnerability was fixed in Pipeline: Groovy Plugin version 2692.v76b_089ccd026. The update restricts which Groovy source files can be loaded in Pipelines. Groovy source files in public plugins intended to be executed in sandboxed pipelines have been identified and added to an allowlist. A new extension point org.jenkinsci.plugins.workflow.cps.GroovySourceFileAllowlist was introduced to allow plugins to add specific Groovy source files to the allowlist if necessary (Jenkins Advisory).