GHSA-f6mq-6fx5-w2ch

Source

https://github.com/advisories/GHSA-f6mq-6fx5-w2ch

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-f6mq-6fx5-w2ch/GHSA-f6mq-6fx5-w2ch.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-f6mq-6fx5-w2ch

Aliases

CVE-2022-43403

Published

2022-10-19T19:00:21Z

Modified

2024-02-19T05:31:48.698832Z

Severity

9.9 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H CVSS Calculator

Summary

Jenkins Script Security Plugin sandbox bypass vulnerability

Details

A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b0b0aa451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. Script Security Plugin 1184.v85d16bd851b3 intercepts per-element casts when casting array-like values to array types.

References

Affected packages

Maven / org.jenkins-ci.plugins:script-security

Package

Name: org.jenkins-ci.plugins:script-security; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/script-security

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1184.v85d16b_d851b_3

Affected versions

1.*

1.0-beta-1

1.0-beta-2

1.0-beta-3

1.0-beta-4

1.0-beta-5

1.0-beta-6

1.0

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

1.10

1.11

1.12

1.13

1.14

1.15

1.16

1.17

1.18

1.18.1

1.19

1.20

1.21

1.22

1.23

1.24

1.25

1.26

1.27

1.28

1.29

1.29.1

1.30

1.31

1.33

1.34

1.35

1.36

1.37

1.38

1.39

1.40

1.41

1.42

1.43

1.44

1.44.1

1.45

1.46

1.46.1

1.47

1.48

1.49

1.50

1.51

1.52

1.53

1.54

1.54.1

1.54.2

1.54.3

1.54.4

1.55

1.56

1.57

1.57.1

1.57.2

1.57.3

1.57.4

1.57.5

1.57.6

1.58

1.59

1.60

1.60.1

1.61

1.62

1.63

1.63.1

1.64

1.65

1.66

1.66.1

1.66.2

1.66.3

1.66.4

1.66.5

1.67

1.68

1.69

1.70

1.71

1.72

1.73

1.74

1.75

1.76

1.77

1.78

1.78.1

1118.*

1118.vba21ca2e3286

1125.*

1125.v132f99385e1b_

1131.*

1131.v8b_b_5eda_c328e

1138.*

1138.v8e727069a_025

1140.*

1140.vf967fb_efa_55a_

1145.*

1145.vb_cf6cf6ed960

1145.1148.vf6d17a_a_a_eef6

1146.*

1146.vdf547f19a_473

1158.*

1158.v7c1b_73a_69a_08

1172.*

1172.v35f6a_0b_8207e

1175.*

1175.v4b_d517d6db_f0

1175.1177.vda_175b_77d144

1175.1179.vea_f7532629e1

1175.1180.v36a_3fb_2dec9c

1183.*

1183.v774b_0b_0a_a_451

Database specific

{
    "last_known_affected_version_range": "< 1184.v85d16b"
}