CVE-2022-43404

2022-10-1916:15:10

Google

osv.dev

jenkins

script security

vulnerability

sandbox bypass

arbitrary code

9.9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

9.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

47.3%

JSON

A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

CPENameOperatorVersion
script-security-plugineqscript-security-1.44
script-security-plugineqscript-security-1.15
script-security-plugineqscript-security-1.69
script-security-plugineqscript-security-1.6
script-security-plugineqscript-security-1.52
script-security-plugineq1125.v132f99385e1b_
script-security-plugineqscript-security-1.38
script-security-plugineqscript-security-1.20
script-security-plugineqscript-security-1.72
script-security-plugineqscript-security-1.53

Name	Operator	Version
script-security-plugin	eq	script-security-1.44
script-security-plugin	eq	script-security-1.15
script-security-plugin	eq	script-security-1.69
script-security-plugin	eq	script-security-1.6
script-security-plugin	eq	script-security-1.52
script-security-plugin	eq	1125.v132f99385e1b_
script-security-plugin	eq	script-security-1.38
script-security-plugin	eq	script-security-1.20
script-security-plugin	eq	script-security-1.72
script-security-plugin	eq	script-security-1.53