Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mNm1xLTZmeDUtdzJjaM4AAvdZ
Jenkins Script Security Plugin sandbox bypass vulnerability
A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. Script Security Plugin 1184.v85d16b_d851b_3 intercepts per-element casts when casting array-like values to array types.
Permalink: https://github.com/advisories/GHSA-f6mq-6fx5-w2chJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mNm1xLTZmeDUtdzJjaM4AAvdZ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 10.0
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Identifiers: GHSA-f6mq-6fx5-w2ch, CVE-2022-43403
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-43403
- https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)
- http://www.openwall.com/lists/oss-security/2022/10/19/3
- https://www.secpod.com/blog/oracle-releases-critical-security-updates-january-2023-patch-now/
- https://github.com/advisories/GHSA-f6mq-6fx5-w2ch
Affected Packages
maven:org.jenkins-ci.plugins:script-security
Affected Version Ranges: < 1184.v85d16bFixed in: 1184.v85d16b_d851b_3