CVE-2022-43404
jenkins-plugin/script-security: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
Una vulnerabilidad de omisión del sandbox que implica cuerpos de constructores diseñados y llamadas a constructores sintéticos generados por la sandbox en Jenkins Script Security Plugin versiones 1183.v774b_0b_0a_451 y anteriores, permite a atacantes con permiso para definir y ejecutar scripts con sandbox, incluyendo Pipelines, omitir la protección del sandbox y ejecutar código arbitrario en el contexto de la JVM del controlador de Jenkins
A sandbox bypass vulnerability was found in several Jenkins plugins. This could allow an authenticated attacker to execute arbitrary code within the Jenkins JVM controller. Exploitation could be achieved by crafting untrusted libraries or pipelines, compromising the integrity, availability, and confidentiality of Jenkins.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2022-10-18 CVE Reserved
- 2022-10-19 CVE Published
- 2024-03-31 EPSS Updated
- 2024-08-03 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-693: Protection Mechanism Failure
CAPEC
References (4)
URL | Tag | Source |
---|---|---|
http://www.openwall.com/lists/oss-security/2022/10/19/3 | Mailing List |
URL | Date | SRC |
---|
URL | Date | SRC |
---|
URL | Date | SRC |
---|---|---|
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20%281%29 | 2023-11-22 | |
https://access.redhat.com/security/cve/CVE-2022-43404 | 2023-05-17 | |
https://bugzilla.redhat.com/show_bug.cgi?id=2136383 | 2023-05-17 |
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Jenkins Search vendor "Jenkins" | Script Security Search vendor "Jenkins" for product "Script Security" | <= 1183.v774b_0b_0a_a_451 Search vendor "Jenkins" for product "Script Security" and version " <= 1183.v774b_0b_0a_a_451" | jenkins |
Affected
|