Jenkins Groovy Pipeline Sandbox Bypass via Implicit Casts
CVE-2022-43402 Published on October 19, 2022
A sandbox bypass vulnerability involving various casts performed implicitly by the Groovy language runtime in Jenkins Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
Products Associated with CVE-2022-43402
stack.watch emails you whenever new vulnerabilities are published in Jenkins Groovy or Jenkins Pipeline. Just hit a watch button to start following.
Affected Versions
Jenkins project Jenkins Pipeline: Groovy Plugin:- Version 2759.2761.vd6e8d2a_15980 is unaffected.
- Version 2746.2748.v365128b_c26d7 is unaffected.
- Version unspecified, <= 2802.v5ea_628154b_c2 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.