CVE-2022-43403
Description
A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A sandbox bypass in Jenkins Script Security Plugin allows attackers with script permission to execute arbitrary code via implicit array casts.
Vulnerability
Overview
CVE-2022-43403 is a sandbox bypass vulnerability in Jenkins Script Security Plugin versions 1183.v774b_0b_0a_a_451 and earlier. The root cause is that the plugin does not intercept implicit casts performed by the Groovy language runtime when an array-like value is cast to an array type. This includes casts during method return values, local variable assignments, field/property assignments, and default value definitions [1][4].
Exploitation
An attacker must have permission to define and run sandboxed scripts, such as Pipeline scripts. The sandbox is designed to restrict such users to safe operations, but this flaw allows bypassing those restrictions. The cast operation is not part of the plugin's allowlist checks, so the sandbox fails to block the unsafe cast [1][3].
Impact
Successful exploitation enables arbitrary code execution in the context of the Jenkins controller JVM. This could lead to full compromise of the Jenkins instance, including access to credentials, builds, and other sensitive data [1][4]. The vulnerability has a base CVSS score of 9.9 (Critical) [2].
Mitigation
Jenkins has released Script Security Plugin version 1184.v85d16b_d851b_3 and Pipeline: Groovy Plugin version 2803.v1a_f77ffcc773 to address this issue. Users should upgrade immediately. No workaround is available if the plugin is in use [1][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:script-securityMaven | < 1184.v85d16b_d851b_3 | 1184.v85d16b_d851b_3 |
Affected products
2- Jenkins project/Jenkins Script Security Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- github.com/advisories/GHSA-f6mq-6fx5-w2chghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43403ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
- www.secpod.com/blog/oracle-releases-critical-security-updates-january-2023-patch-nowghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/mitre
- www.secpod.com/blog/oracle-releases-critical-security-updates-january-2023-patch-now/mitre
News mentions
0No linked articles in our index yet.