Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-7ez2-n617-u3dq
Summary
Sandbox bypass vulnerability through implicitly allowlisted platform Groovy files in Jenkins Pipeline: Groovy Plugin
Pipeline: Groovy Plugin allows pipelines to load Groovy source files. This is intended to be used to allow Global Shared Libraries to execute without sandbox protection.

In Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier, any Groovy source files bundled with Jenkins core and plugins could be loaded this way and their methods executed. If a suitable Groovy source file is available on the classpath of Jenkins, sandbox protections can be bypassed.

The Jenkins security team has been unable to identify any Groovy source files in Jenkins core or plugins that would allow attackers to execute dangerous code. While the severity of this issue is declared as High due to the potential impact, successful exploitation is considered very unlikely.

Pipeline: Groovy Plugin 2692.v76b_089ccd026 restricts which Groovy source files can be loaded in Pipelines.

Groovy source files in public plugins intended to be executed in sandboxed pipelines have been identified and added to an allowlist. The new extension point `org.jenkinsci.plugins.workflow.cps.GroovySourceFileAllowlist` allows plugins to add specific Groovy source files to that allowlist if necessary, but creation of plugin-specific Pipeline DSLs is strongly discouraged.
Aliases
0
alias CVE-2022-30945
1
alias GHSA-2xvx-rw9p-xgfc
Fixed_packages
0
url pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps@2692.v76b
purl pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps@2692.v76b
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps@2692.v76b
Affected_packages
0
url pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps@2689.v434009a
purl pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps@2689.v434009a
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7ez2-n617-u3dq
resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps@2689.v434009a
1
url pkg:rpm/redhat/jenkins-2-plugins@4.8.1672842762-1?arch=el8
purl pkg:rpm/redhat/jenkins-2-plugins@4.8.1672842762-1?arch=el8
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-4qvq-xv22-xbed
1
vulnerability VCID-7ez2-n617-u3dq
2
vulnerability VCID-9h4k-xjx5-afc8
3
vulnerability VCID-c2jh-gx5w-mqcd
4
vulnerability VCID-ca7m-fb38-kfe2
5
vulnerability VCID-fzvq-dpvh-v7eu
6
vulnerability VCID-gxu6-51zm-sfh7
7
vulnerability VCID-hg91-mnh3-g3a4
8
vulnerability VCID-k6wy-rwhv-ckd2
9
vulnerability VCID-qsut-4d83-97h1
10
vulnerability VCID-rs56-6qvx-vucg
11
vulnerability VCID-tt48-pfzv-mkgt
12
vulnerability VCID-ubq1-gzr6-x3fu
13
vulnerability VCID-xq5k-dyk9-u3ct
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.8.1672842762-1%3Farch=el8
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30945.json
reference_id
reference_type
scores
0
value 8.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30945.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-30945
reference_id
reference_type
scores
0
value 0.00445
scoring_system epss
scoring_elements 0.63499
published_at 2026-05-07T12:55:00Z
1
value 0.00445
scoring_system epss
scoring_elements 0.63454
published_at 2026-05-05T12:55:00Z
2
value 0.0111
scoring_system epss
scoring_elements 0.78117
published_at 2026-04-04T12:55:00Z
3
value 0.0111
scoring_system epss
scoring_elements 0.78087
published_at 2026-04-02T12:55:00Z
4
value 0.0111
scoring_system epss
scoring_elements 0.781
published_at 2026-04-07T12:55:00Z
5
value 0.0111
scoring_system epss
scoring_elements 0.78126
published_at 2026-04-08T12:55:00Z
6
value 0.0111
scoring_system epss
scoring_elements 0.78132
published_at 2026-04-09T12:55:00Z
7
value 0.0111
scoring_system epss
scoring_elements 0.78158
published_at 2026-04-11T12:55:00Z
8
value 0.0111
scoring_system epss
scoring_elements 0.7814
published_at 2026-04-12T12:55:00Z
9
value 0.0111
scoring_system epss
scoring_elements 0.78136
published_at 2026-04-13T12:55:00Z
10
value 0.0111
scoring_system epss
scoring_elements 0.7817
published_at 2026-04-16T12:55:00Z
11
value 0.0111
scoring_system epss
scoring_elements 0.78169
published_at 2026-04-18T12:55:00Z
12
value 0.0111
scoring_system epss
scoring_elements 0.78163
published_at 2026-04-21T12:55:00Z
13
value 0.0111
scoring_system epss
scoring_elements 0.78196
published_at 2026-04-24T12:55:00Z
14
value 0.0111
scoring_system epss
scoring_elements 0.78201
published_at 2026-04-26T12:55:00Z
15
value 0.0111
scoring_system epss
scoring_elements 0.78216
published_at 2026-04-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-30945
2
reference_url https://github.com/jenkinsci/workflow-cps-plugin
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jenkinsci/workflow-cps-plugin
3
reference_url https://github.com/jenkinsci/workflow-cps-plugin/commit/76a7681702f42d65f77bbaa5463f146876ea62db
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jenkinsci/workflow-cps-plugin/commit/76a7681702f42d65f77bbaa5463f146876ea62db
4
reference_url https://github.com/jenkinsci/workflow-cps-plugin/commit/76b089ccd026b68012b0deb30c217395f7ca7dc2
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/jenkinsci/workflow-cps-plugin/commit/76b089ccd026b68012b0deb30c217395f7ca7dc2
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-30945
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-30945
6
reference_url https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.jenkins.io/security/advisory/2022-05-17/#SECURITY-359
7
reference_url http://www.openwall.com/lists/oss-security/2022/05/17/8
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://www.openwall.com/lists/oss-security/2022/05/17/8
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2119642
reference_id 2119642
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2119642
9
reference_url https://github.com/advisories/GHSA-2xvx-rw9p-xgfc
reference_id GHSA-2xvx-rw9p-xgfc
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-2xvx-rw9p-xgfc
10
reference_url https://access.redhat.com/errata/RHSA-2023:0017
reference_id RHSA-2023:0017
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:0017
Weaknesses
0
cwe_id 434
name Unrestricted Upload of File with Dangerous Type
description The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
1
cwe_id 552
name Files or Directories Accessible to External Parties
description The product makes files or directories accessible to unauthorized actors, even though they should not be.
2
cwe_id 94
name Improper Control of Generation of Code ('Code Injection')
description The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
3
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
4
cwe_id 78
name Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
description The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
5
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
Exploits
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-7ez2-n617-u3dq