CVE-2022-43403
jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
Una vulnerabilidad de omisión del sandbox que involucra la fundición de un valor de tipo array a un tipo de array en Jenkins Script Security Plugin versiones 1183.v774b_0b_0a_451 y anteriores, permite a atacantes con permiso para definir y ejecutar scripts en sandbox, incluyendo Pipelines, omitir la protección del sandbox y ejecutar código arbitrario en el contexto de la JVM del controlador de Jenkins
A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-10-18 CVE Reserved
- 2022-10-19 CVE Published
- 2024-08-03 CVE Updated
- 2024-09-04 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-693: Protection Mechanism Failure
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2022/10/19/3 | Mailing List |
|
| https://www.secpod.com/blog/oracle-releases-critical-security-updates-january-2023-patch-now | Third Party Advisory |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20%281%29 | 2023-11-22 | |
| https://access.redhat.com/security/cve/CVE-2022-43403 | 2023-05-17 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2136382 | 2023-05-17 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Jenkins Search vendor "Jenkins" | Script Security Search vendor "Jenkins" for product "Script Security" | <= 1183.v774b_0b_0a_a_451 Search vendor "Jenkins" for product "Script Security" and version " <= 1183.v774b_0b_0a_a_451" | jenkins |
Affected
| ||||||