CVE-2022-43401
Description
A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sandbox bypass in Jenkins Script Security Plugin allows attackers with sandbox script permission to execute arbitrary code via implicit Groovy casts.
The Jenkins Script Security Plugin provides a sandbox feature that restricts scripts defined by low-privileged users. In versions 1183.v774b_0b_0a_a_451 and earlier, the sandbox does not intercept various casts performed implicitly by the Groovy language runtime. This includes casts when returning values from methods, assigning local variables, fields, or properties, and when defining default parameters [1][2].
Exploitation requires an attacker to have permission to define and run sandboxed scripts, including Jenkins Pipelines. No additional authentication is needed beyond these permissions. The attacker can craft a script that leverages these unguarded implicit casts to bypass the sandbox restrictions [3].
Successful exploitation allows arbitrary code execution in the context of the Jenkins controller JVM, potentially leading to full compromise of the Jenkins environment and access to sensitive data or other systems [1].
Jenkins has released Script Security Plugin version 1184.vb_b_c6b_0b_0a_b_a and Pipeline: Groovy Plugin version 2803.v1a_f77ffcc773 that fix this vulnerability by properly intercepting implicit casts. Users are advised to update immediately [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:script-securityMaven | < 1184.v85d16b_d851b_3 | 1184.v85d16b_d851b_3 |
org.jenkins-ci.plugins.workflow:workflow-cpsMaven | < 2803.v1a_f77ffcc773 | 2803.v1a_f77ffcc773 |
Affected products
3- ghsa-coords2 versionspkg:maven/org.jenkins-ci.plugins/script-securitypkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps
< 1184.v85d16b_d851b_3+ 1 more
- (no CPE)range: < 1184.v85d16b_d851b_3
- (no CPE)range: < 2803.v1a_f77ffcc773
- Jenkins project/Jenkins Script Security Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-7vr5-72w7-q6jcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43401ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/mitre
News mentions
0No linked articles in our index yet.