CVE-2022-43405

A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Published: Oct 19, 2022
Updated: May 9, 2024
CVE: CVE-2022-43405
GHSA: GHSA-4hjj-9gp7-4frg
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.9
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWEs:

CWE-693

Affected Software
References

Software	From	Fixed in
jenkins / groovy_libraries	-	612.v84da_9c54906d.x
io.jenkins.plugins / pipeline-groovy-lib	-	613.v9c41a_160233f
org.jenkins-ci.plugins.workflow / workflow-cps-global-lib	-	588.v576c103a_ff86

http://www.openwall.com/lists/oss-security/2022/10/19/3
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20%282%29

Vulnerability Database

289,871

CVE-2022-43405