Sandbox Bypass Vulnerability in Jenkins Pipeline: Groovy Plugin
CVE-2022-43402

9.9CRITICAL

Key Information:

Vendor: Jenkins
Status: Jenkins Pipeline: Groovy Plugin
Vendor: CVE Published:; 19 October 2022

Summary

The vulnerability allows attackers with permission to create and execute sandboxed scripts in Jenkins to circumvent the sandbox protections. This flaw occurs due to implicit type casting in the Groovy language runtime, enabling the execution of arbitrary code within the Jenkins controller JVM. Users of Jenkins Pipeline: Groovy Plugin version 2802.v5ea_628154b_c2 and earlier are particularly affected, emphasizing the need for immediate review and mitigation to safeguard against potential exploits.

Affected Version(s)

Jenkins Pipeline: Groovy Plugin <= 2802.v5ea_628154b_c2

Jenkins Pipeline: Groovy Plugin 2759.2761.vd6e8d2a_15980

Jenkins Pipeline: Groovy Plugin 2746.2748.v365128b_c26d7

References

https://www.jenkins.io/security/advisory/2022-10-19/#SECU...

http://www.openwall.com/lists/oss-security/2022/10/19/3

mailing-list

CVSS V3.1

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
Oct 19, 2022
Vulnerability Reserved
Oct 18, 2022