CVE-2022-30951: 
Java vulnerability analysis and mitigation

CVE-2022-30951 is a security vulnerability discovered in Jenkins WMI Windows Agents Plugin versions 1.8 and earlier. The vulnerability relates to access control issues in the Windows Remote Command library, which is included in the plugin. The issue was disclosed on May 17, 2022, as part of a broader Jenkins security advisory (Jenkins Advisory).

The vulnerability stems from the Windows Remote Command library's implementation in the WMI Windows Agents Plugin, where it fails to implement proper access control mechanisms. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows unauthorized users to start processes on Windows agent machines even when they don't have login permissions. This creates a significant security risk as users could potentially execute commands outside their intended access level (Jenkins Advisory).

The vulnerability was fixed in WMI Windows Agents Plugin version 1.8.1, which removes the Windows Remote Command library entirely. In the updated version, a Java runtime is expected to be available on agent machines, and the plugin no longer automatically installs a JDK. The Jenkins security team has confirmed that the WMI Windows Agents Plugin was the only Jenkins project deliverable known to include the vulnerable Windows Remote Command library (Jenkins Advisory).