CVE-2022-43404
Description
A sandbox bypass vulnerability involving crafted constructor bodies and calls to sandbox-generated synthetic constructors in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sandbox bypass in Jenkins Script Security Plugin via crafted constructors allows arbitrary code execution on Jenkins controller.
Vulnerability
CVE-2022-43404 is a sandbox bypass vulnerability in the Jenkins Script Security Plugin version 1183.v774b_0b_0a_a_451 and earlier. The flaw arises because the plugin fails to properly intercept casts performed implicitly by the Groovy language runtime when returning values from methods or assigning local variables, fields, and properties. Attackers can craft constructor bodies and call sandbox-generated synthetic constructors to escape the sandbox restrictions [1][3].
Exploitation
To exploit this vulnerability, an attacker must have permission to define and run sandboxed scripts, including Pipelines, within a Jenkins instance. No additional authentication or network position is required beyond that permission. The attack leverages the gap between the sandbox's allowlist checks and the Groovy runtime's implicit casts, allowing malicious code to execute outside the sandbox [2].
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the Jenkins controller JVM. This can lead to full compromise of the Jenkins server, including access to credentials, builds, and secrets. The vulnerability is rated High severity (CVSS score not explicitly provided but implied) [1][3].
Mitigation
Jenkins has released updates for the Script Security Plugin to address this issue. Users should upgrade to a version beyond 1183.v774b_0b_0a_a_451. The advisory also notes that similar vulnerabilities were fixed in Pipeline: Groovy Plugin and other components [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:script-securityMaven | < 1184.v85d16b_d851b_3 | 1184.v85d16b_d851b_3 |
org.jenkins-ci.plugins.workflow:workflow-cpsMaven | < 2803.v1a_f77ffcc773 | 2803.v1a_f77ffcc773 |
Affected products
3- ghsa-coords2 versionspkg:maven/org.jenkins-ci.plugins/script-securitypkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps
< 1184.v85d16b_d851b_3+ 1 more
- (no CPE)range: < 1184.v85d16b_d851b_3
- (no CPE)range: < 2803.v1a_f77ffcc773
- Jenkins project/Jenkins Script Security Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-27rf-8mjp-r363ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43404ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/mitre
News mentions
0No linked articles in our index yet.