CVE-2022-43405

Name of the Vulnerable Software and Affected Versions Jenkins Pipeline: Groovy Libraries Plugin versions 612.v84da 9c54906d and earlier Jenkins Pipeline: Deprecated Groovy Libraries Plugin versions 583.vf3b 454e43966 and earlier

Description A sandbox bypass issue allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. The library step in the affected plugins can be used to invoke sandbox-generated synthetic constructors in crafted untrusted libraries and construct any subclassable type. This issue is similar to a previously reported security advisory, but it affects a different plugin.

Recommendations For Jenkins Pipeline: Groovy Libraries Plugin versions 612.v84da 9c54906d and earlier, update to version 613.v9c41a 160233f or later, which rejects improper calls to sandbox-generated synthetic constructors when using the library step. For Jenkins Pipeline: Deprecated Groovy Libraries Plugin versions 583.vf3b 454e43966 and earlier, update to version 588.v576c103a ff86 or later, which no longer contains the library step. As a temporary workaround, consider restricting the use of the library step in sandboxed Pipelines to minimize the risk of exploitation.