Protection Mechanism Failure Affecting org.jenkins-ci.plugins:script-security package, versions [0,]
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGJENKINSCIPLUGINS-3057193
- published 20 Oct 2022
- disclosed 19 Oct 2022
- credit Devin Nusbaum
Introduced: 19 Oct 2022
CVE-2022-43403 Open this link in a new tabHow to fix?
A fix was pushed into the master branch but not yet published.
Overview
org.jenkins-ci.plugins:script-security is a package that allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.
Affected versions of this package are vulnerable to Protection Mechanism Failure when casting an array-like value to an array type, per-element casts to the component type of the array are not intercepted by the sandbox. Exploiting this vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.