CVE-2022-43402
Description
A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A sandbox bypass in Jenkins Pipeline: Groovy Plugin allows attackers with sandboxed script permissions to execute arbitrary code on the Jenkins controller via implicit Groovy casts.
Vulnerability
Overview
CVE-2022-43402 is a sandbox bypass vulnerability in the Jenkins Pipeline: Groovy Plugin, affecting versions 2802.v5ea_628154b_c2 and earlier. The root cause is that the Groovy language runtime performs various implicit casts (e.g., when returning values from methods, assigning local variables, fields, or properties) that are not intercepted by the sandbox protection mechanism [1][3]. This allows sandboxed scripts to bypass the intended restrictions.
Exploitation
An attacker must have permission to define and run sandboxed scripts, including Pipelines, within Jenkins. By crafting a script that leverages these implicit casts, the attacker can circumvent the sandbox's allowlist checks and execute arbitrary code [1][2]. No additional authentication is required beyond the existing permissions for sandboxed script execution.
Impact
Successful exploitation enables arbitrary code execution in the context of the Jenkins controller JVM. This can lead to full compromise of the Jenkins server, including access to credentials, secrets, and the ability to modify jobs or infrastructure [1][3].
Mitigation
The vulnerability is fixed in Pipeline: Groovy Plugin version 2803.v1a_f77ffcc773 and later. Users are strongly advised to upgrade immediately. No workarounds are available [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins.workflow:workflow-cpsMaven | < 2803.v1a_f77ffcc773 | 2803.v1a_f77ffcc773 |
Affected products
2- Jenkins project/Jenkins Pipeline: Groovy Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-mqc2-w9r8-mmxmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43402ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/mitre
News mentions
0No linked articles in our index yet.