CVE-2022-43402

CVSS v3.1

9.9

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Groovy Plugin versions 2802.v5ea 628154b c2 and earlier

Description A sandbox bypass issue involves implicit casts by the Groovy language runtime, allowing attackers with permission to define and run sandboxed scripts to bypass sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Recommendations For versions 2802.v5ea 628154b c2 and earlier, update to a version that intercepts Groovy casts performed implicitly by the Groovy language runtime, such as version 2803.v1a f77ffcc773 or later.

Fix

Protection Mechanism Failure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-693

Related Identifiers

CVE-2022-43402

GHSA-MQC2-W9R8-MMXM

RHSA-2023:0560

RHSA-2023:0777

RHSA-2023:1064

RHSA-2023:3198

Affected Products

Jenkins

Jenkins Pipeline: Groovy Plugin

CVE-2022-43402

Weakness Enumeration

Related Identifiers

Affected Products

References · 6