CVE-2022-43405
Description
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Attackers with permissions to define untrusted Pipeline libraries and run sandboxed scripts can bypass Jenkins' sandbox and execute arbitrary code on the controller.
Vulnerability
Overview
CVE-2022-43405 is a sandbox bypass vulnerability in the Jenkins Pipeline: Groovy Libraries Plugin, affecting versions 612.v84da_9c54906d and earlier. The root cause lies in the plugin's insufficient sandbox enforcement: the Groovy language runtime performs implicit casts (e.g., when returning values from methods or assigning variables) that are not intercepted by the sandbox allowlist checks. This allows attackers to craft scripts that escape the sandbox constraints normally applied to untrusted Pipeline libraries. [1]
Exploitation
Prerequisites and Attack Vector
To exploit this vulnerability, an attacker must have permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, within the Jenkins environment. No additional elevated privileges are required beyond these standard configuration permissions. The attack surface is the Jenkins controller's Groovy script execution engine, where malicious code is introduced via a specially crafted Pipeline library. The sandbox runs scripts in a restricted context, but the implicit cast flaw enables the attacker to break out of that context. [1][2]
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the Jenkins controller JVM, completely bypassing the sandbox protections designed to prevent such actions. This can lead to full compromise of the Jenkins controller, including access to all jobs, credentials, secrets, and the ability to further pivot within the network. [3]
Mitigation
Status
The vulnerability has been patched in Pipeline: Groovy Libraries Plugin version 613.v9c41a_160233f, as announced in the Jenkins Security Advisory 2022-10-19. Users are strongly advised to upgrade immediately. Jenkins also recommends reviewing and limiting the set of users who have permission to define untrusted libraries and run sandboxed scripts to reduce the risk of exploitation. No workarounds beyond the upgrade have been published. [1][2]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
io.jenkins.plugins:pipeline-groovy-libMaven | < 613.v9c41a_160233f | 613.v9c41a_160233f |
org.jenkins-ci.plugins.workflow:workflow-cps-global-libMaven | < 588.v576c103a_ff86 | 588.v576c103a_ff86 |
Affected products
3- ghsa-coords2 versionspkg:maven/io.jenkins.plugins/pipeline-groovy-libpkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-global-lib
< 613.v9c41a_160233f+ 1 more
- (no CPE)range: < 613.v9c41a_160233f
- (no CPE)range: < 588.v576c103a_ff86
- Jenkins project/Jenkins Pipeline: Groovy Libraries Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-4hjj-9gp7-4frgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43405ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/mitre
News mentions
0No linked articles in our index yet.