Jenkins Pipeline: Groovy — known CVE vulnerabilities
Every CVE whose affected-product data names Jenkins Pipeline: Groovy, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (14)
CVE-2022-43402 — CVSS 9.9 (critical): A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy…
CVE-2019-1003041 — CVSS 9.8 (critical): A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Plugin 2.64 and earlier allows attackers to invoke arbitrary constructors in…
CVE-2022-25173 — CVSS 8.8 (high): Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier uses the same checkout directories for distinct SCMs when reading the script…
CVE-2017-1000096 — CVSS 8.8 (high): Arbitrary code execution due to incomplete sandbox protection: Constructors, instance variable initializers, and instance initializers in…
CVE-2020-2109 — CVSS 8.8 (high): Sandbox protection in Jenkins Pipeline: Groovy Plugin 2.78 and earlier can be circumvented through default parameter expressions in…
CVE-2018-1000866 — CVSS 8.8 (high): A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.59 and earlier in groovy-sandbox/src/main/java/org/kohsuke/groovy/sandbox…
CVE-2019-1003001 — CVSS 8.8 (high): A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins/workflow/cps/CpsFlo…
CVE-2022-30945 — CVSS 8.5 (high): Jenkins Pipeline: Groovy Plugin 2689.v434009a_31b_f1 and earlier allows loading any Groovy source files on the classpath of Jenkins and…
CVE-2024-52550 — CVSS 8.0 (high): Jenkins Pipeline: Groovy Plugin 3990.vd281dd77a_388 and earlier, except 3975.3977.v478dd9e956c3 does not check whether the main…
CVE-2022-25176 — CVSS 6.5 (medium): Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier follows symbolic links to locations outside of the checkout directory for…
CVE-2022-25180 — CVSS 4.3 (medium): Jenkins Pipeline: Groovy Plugin 2648.va9433432b33c and earlier includes password parameters from the original build in replayed builds…
CVE-2026-57283 — CVSS 4.3 (medium): A cross-site request forgery (CSRF) vulnerability in Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier allows attackers to…
CVE-2026-57284 — CVSS 4.3 (medium): Jenkins Pipeline: Groovy Plugin 4331.v9d06ed4658ff and earlier does not restrict the types that can be instantiated through the Pipeline…