8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-43401

GHSA ID

GHSA-7vr5-72w7-q6jc

EPSS Score

0.35058%

CWE

CWE-693

Published

10/19/2022

Updated

11/22/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-43401

CVE-2022-43401: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin

Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed.

Multiple sandbox bypass vulnerabilities exist in Script Security Plugin and Pipeline: Groovy Plugin:

In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier and in Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier, various casts performed implicitly by the Groovy language runtime were not intercepted by the sandbox. This includes casts performed when returning values from methods, when assigning local variables, fields, properties, and when defining default arguments for closure, constructor, and method parameters (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).
In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, when casting an array-like value to an array type, per-element casts to the component type of the array are not intercepted by the sandbox (CVE-2022-43403).
In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, crafted constructor bodies and calls to sandbox-generated synthetic constructors can be used to construct any subclassable type (due to an incomplete fix for SECURITY-1754 in the 2020-03-09 security advisory) (CVE-2022-43404).

These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.\n\nThese vulnerabilities have been fixed:

Script Security Plugin 1184.v85d16b_d851b_3 and Pipeline: Groovy Plugin 2803.v1a_f77ffcc773 intercept Groovy casts performed implicitly by the Groovy language runtime (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).
Script Security Plugin 1184.v85d16b_d851b_3 intercepts per-element casts when casting array-like values to array types (CVE-2022-43403).
Script Security Plugin 1184.v85d16b_d851b_3 rejects improper calls to sandbox-generated synthetic constructors (CVE-2022-43404).

Both plugins, Script Security Plugin and Pipeline: Groovy Plugin must be updated simultaneously. While Script Security Plugin could be updated independently, doing so would cause errors in Pipeline: Groovy Plugin due to an incompatible API change.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-43401

GHSA ID

GHSA-7vr5-72w7-q6jc

EPSS Score

0.35058%

CWE

CWE-693

Published

10/19/2022

Updated

11/22/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:script-security	maven	< 1184.v85d16b	1184.v85d16b_d851b_3
org.jenkins-ci.plugins.workflow:workflow-cps	maven	<= 2802.v5ea	2803.v1a_f77ffcc773

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerabilities stem from missing sandbox intercepts in Groovy's implicit type system operations. Key areas include: 1) Method call interception (SandboxInterceptor) for implicit casts in returns/assignments, 2) Constructor validation (CheckpointedMethodSelector) for synthetic constructors, 3) CPS transformation (CpsTransformer) of cast expressions, and 4) Recursive array element type checking (TypeConverter). These functions handle critical type system operations that were not properly sandboxed, allowing bypasses through Groovy's implicit casting mechanics and constructor invocation patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

S*ript S**urity Plu*in provi**s * s*n**ox ***tur* t**t *llows low privil**** us*rs to ***in* s*ripts, in*lu*in* Pip*lin*s, t**t *r* **n*r*lly s*** to *x**ut*. **lls to *o** ***in** insi** * s*n**ox** s*ript *r* int*r**pt**, *n* v*rious *llowlists *r*

Reasoning

T** vuln*r**iliti*s st*m *rom missin* s*n**ox int*r**pts in *roovy's impli*it typ* syst*m op*r*tions. K*y *r**s in*lu**: *) M*t*o* **ll int*r**ption (S*n**oxInt*r**ptor) *or impli*it **sts in r*turns/*ssi*nm*nts, *) *onstru*tor v*li**tion (****kpoint

8.8

Basic Information

Concerned about an active attack path?

CVE-2022-43401: Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI