<p>A fix was pushed into the <code>master</code> branch but not yet published.</p>

Protection Mechanism Failure Affecting org.jenkins-ci.plugins:script-security package, versions [0,]

Snyk CVSS

Attack Complexity High

Scope Changed

Confidentiality High

Threat Intelligence

EPSS 0.21% (59^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk ID SNYK-JAVA-ORGJENKINSCIPLUGINS-3057193
published 20 Oct 2022
disclosed 19 Oct 2022
credit Devin Nusbaum

Report a new vulnerability Found a mistake?

Introduced: 19 Oct 2022

CVE-2022-43403 Open this link in a new tab CWE-693 Open this link in a new tab

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

org.jenkins-ci.plugins:script-security is a package that allows Jenkins administrators to control what in-process scripts can be run by less-privileged users.

Affected versions of this package are vulnerable to Protection Mechanism Failure when casting an array-like value to an array type, per-element casts to the component type of the array are not intercepted by the sandbox. Exploiting this vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.