CVE-2022-43406
Description
A sandbox bypass vulnerability in Jenkins Pipeline: Deprecated Groovy Libraries Plugin 583.vf3b_454e43966 and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A sandbox bypass in Jenkins Pipeline: Deprecated Groovy Libraries Plugin lets attackers with library and script permissions execute arbitrary code on the controller.
Vulnerability
Overview
The Jenkins Pipeline: Deprecated Groovy Libraries Plugin, versions 583.vf3b_454e43966 and earlier, contains a sandbox bypass vulnerability. The sandbox is designed to restrict untrusted Pipeline libraries and scripts, but certain Groovy language runtime casts are not intercepted, allowing the sandbox to be bypassed [1][2].
Exploitation
Conditions
Attackers must have permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines. The vulnerability is exploitable without authentication beyond those permissions, and the attacker must be able to trigger the execution of the crafted library or script [1].
Impact
Successful exploitation allows the attacker to execute arbitrary code in the context of the Jenkins controller JVM, bypassing the sandbox protection entirely. This could lead to full compromise of the Jenkins controller and any data accessible to it [1][3].
Mitigation
The vulnerability is fixed in version 588.v576c103a_ff86 of the Pipeline: Deprecated Groovy Libraries Plugin [2]. Users should update to this version or later. No workaround is mentioned in the advisory; the vendor recommends immediate upgrade [1][2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins.workflow:workflow-cps-global-libMaven | < 588.v576c103a_ff86 | 588.v576c103a_ff86 |
io.jenkins.plugins:pipeline-groovy-libMaven | < 613.v9c41a_160233f | 613.v9c41a_160233f |
Affected products
3- ghsa-coords2 versionspkg:maven/io.jenkins.plugins/pipeline-groovy-libpkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps-global-lib
< 613.v9c41a_160233f+ 1 more
- (no CPE)range: < 613.v9c41a_160233f
- (no CPE)range: < 588.v576c103a_ff86
- Jenkins project/Jenkins Pipeline: Deprecated Groovy Libraries Pluginv5Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-7qw2-h9gj-hcvhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-43406ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/10/19/3ghsamailing-listWEB
- www.jenkins.io/security/advisory/2022-10-19/ghsaWEB
- www.jenkins.io/security/advisory/2022-10-19/mitre
News mentions
0No linked articles in our index yet.