CVE-2022-43402 — Protection Mechanism Failure in Project Jenkins Pipeline Groovy Plugin
Severity
9.9CRITICALNVD
EPSS
0.1%
top 74.39%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedOct 19
Latest updateApr 19
Description
A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HExploitability: 3.1 | Impact: 6.0
Affected Packages2 packages
🔴Vulnerability Details
7OSV▶
Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin↗2022-10-19
OSV▶
Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin↗2022-10-19
CVEList▶
CVE-2022-43402: A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802↗2022-10-19
GHSA▶
Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin↗2022-10-19
GHSA▶
Jenkins Pipeline: Groovy Plugin allows sandbox protection bypass and arbitrary code execution↗2022-10-19