CVE-2022-43403

CVSS v3.1

9.9

Critical

Vector

AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Jenkins Script Security Plugin versions 1183.v774b 0b 0a a 451 and earlier

Description A sandbox bypass issue involves casting an array-like value to an array type, allowing attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Recommendations For Jenkins Script Security Plugin versions 1183.v774b 0b 0a a 451 and earlier, update to a version that intercepts per-element casts when casting array-like values to array types, such as version 1184.v85d16b d851b 3 or later.

Fix

Protection Mechanism Failure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-693

Related Identifiers

CVE-2022-43403

GHSA-F6MQ-6FX5-W2CH

RHSA-2023:0560

RHSA-2023:0777

RHSA-2023:1064

RHSA-2023:3198

Affected Products

Jenkins

Jenkins Script Security Plugin

CVE-2022-43403

Weakness Enumeration

Related Identifiers

Affected Products

References · 7