CVE-2022-43405
First published: Wed Oct 19 2022(Updated: )
A sandbox bypass vulnerability in Jenkins Pipeline: Groovy Libraries Plugin 612.v84da_9c54906d and earlier allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jenkins | <2-plugins-0:4.11.1683009941-1.el8 | 2-plugins-0:4.11.1683009941-1.el8 |
| redhat/jenkins | <2-plugins-0:4.12.1675702407-1.el8 | 2-plugins-0:4.12.1675702407-1.el8 |
| redhat/jenkins | <2-plugins-0:4.10.1675144701-1.el8 | 2-plugins-0:4.10.1675144701-1.el8 |
| redhat/jenkins | <2-plugins-0:4.9.1675668922-1.el8 | 2-plugins-0:4.9.1675668922-1.el8 |
| Jenkins Groovy Libraries | <=612.v84da_9c54906d |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2022-43405 https://nvd.nist.gov/vuln/detail/CVE-2022-43405 https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)
- https://bugzilla.redhat.com/show_bug.cgi?id=2136374
- https://access.redhat.com/errata/RHSA-2023:3198
- https://access.redhat.com/errata/RHSA-2023:1064
- https://access.redhat.com/errata/RHSA-2023:0560
- https://access.redhat.com/errata/RHSA-2023:0777
- https://access.redhat.com/security/cve/cve-2022-43405
- http://www.openwall.com/lists/oss-security/2022/10/19/3
- https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)
- https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20%282%29
- https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2
- https://access.redhat.com/errata/RHSA-2023:6172
- https://access.redhat.com/errata/RHSA-2024:5406
- https://access.redhat.com/errata/RHSA-2024:5411
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is the severity of CVE-2022-43405?
CVE-2022-43405 is classified as a high severity vulnerability due to its potential for arbitrary code execution.
How do I fix CVE-2022-43405?
To remediate CVE-2022-43405, update Jenkins Pipeline: Groovy Libraries Plugin to version 612.v84da_9c54906d or later.
What are the affected versions for CVE-2022-43405?
CVE-2022-43405 affects Jenkins Pipeline: Groovy Libraries Plugin versions up to and including 612.v84da_9c54906d.
Can CVE-2022-43405 be exploited remotely?
Yes, attackers with the required permissions can exploit CVE-2022-43405 remotely by defining untrusted Pipeline libraries.
What actions can be taken to mitigate CVE-2022-43405?
To mitigate CVE-2022-43405, ensure that only trusted users have permission to define untrusted Pipeline libraries in Jenkins.
- collector/redhat-cve
- collector/nvd-index
- collector/nvd-api
- agent/author
- agent/first-publish-date
- agent/type
- agent/softwarecombine
- agent/severity
- agent/weakness
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/event
- agent/references
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-43405
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/trending
- agent/tags
- agent/source
- package-manager/redhat
- vendor/jenkins
- canonical/jenkins groovy libraries
- version/jenkins groovy libraries/612.v84da_9c54906d