GHSA-27rf-8mjp-r363

Suggest an improvement
Source
https://github.com/advisories/GHSA-27rf-8mjp-r363
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-27rf-8mjp-r363/GHSA-27rf-8mjp-r363.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-27rf-8mjp-r363
Aliases
Published
2022-10-19T19:00:21Z
Modified
2023-11-08T04:10:42.103167Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin
Details

Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed.

Multiple sandbox bypass vulnerabilities exist in Script Security Plugin and Pipeline: Groovy Plugin:

  • In Script Security Plugin 1183.v774b0b0aa451 and earlier and in Pipeline: Groovy Plugin 2802.v5ea628154bc2 and earlier, various casts performed implicitly by the Groovy language runtime were not intercepted by the sandbox. This includes casts performed when returning values from methods, when assigning local variables, fields, properties, and when defining default arguments for closure, constructor, and method parameters (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).
  • In Script Security Plugin 1183.v774b0b0aa451 and earlier, when casting an array-like value to an array type, per-element casts to the component type of the array are not intercepted by the sandbox (CVE-2022-43403).
  • In Script Security Plugin 1183.v774b0b0aa451 and earlier, crafted constructor bodies and calls to sandbox-generated synthetic constructors can be used to construct any subclassable type (due to an incomplete fix for SECURITY-1754 in the 2020-03-09 security advisory) (CVE-2022-43404).

These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

These vulnerabilities have been fixed:

  • Script Security Plugin 1184.v85d16bd851b3 and Pipeline: Groovy Plugin 2803.v1a_f77ffcc773 intercept Groovy casts performed implicitly by the Groovy language runtime (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).
  • Script Security Plugin 1184.v85d16bd851b3 intercepts per-element casts when casting array-like values to array types (CVE-2022-43403).
  • Script Security Plugin 1184.v85d16bd851b3 rejects improper calls to sandbox-generated synthetic constructors (CVE-2022-43404).

Both plugins, Script Security Plugin and Pipeline: Groovy Plugin must be updated simultaneously. While Script Security Plugin could be updated independently, doing so would cause errors in Pipeline: Groovy Plugin due to an incompatible API change.

Database specific
{
    "nvd_published_at": "2022-10-19T16:15:00Z",
    "github_reviewed_at": "2022-10-19T22:04:13Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-693"
    ]
}
References

Affected packages

Maven / org.jenkins-ci.plugins:script-security

Package

Name
org.jenkins-ci.plugins:script-security
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/script-security

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1184.v85d16b_d851b_3

Affected versions

1.*

1.0-beta-1
1.0-beta-2
1.0-beta-3
1.0-beta-4
1.0-beta-5
1.0-beta-6
1.0
1.1
1.2
1.3
1.4
1.5
1.6
1.7
1.8
1.9
1.10
1.11
1.12
1.13
1.14
1.15
1.16
1.17
1.18
1.18.1
1.19
1.20
1.21
1.22
1.23
1.24
1.25
1.26
1.27
1.28
1.29
1.29.1
1.30
1.31
1.33
1.34
1.35
1.36
1.37
1.38
1.39
1.40
1.41
1.42
1.43
1.44
1.44.1
1.45
1.46
1.46.1
1.47
1.48
1.49
1.50
1.51
1.52
1.53
1.54
1.54.1
1.54.2
1.54.3
1.54.4
1.55
1.56
1.57
1.57.1
1.57.2
1.57.3
1.57.4
1.57.5
1.57.6
1.58
1.59
1.60
1.60.1
1.61
1.62
1.63
1.63.1
1.64
1.65
1.66
1.66.1
1.66.2
1.66.3
1.66.4
1.66.5
1.67
1.68
1.69
1.70
1.71
1.72
1.73
1.74
1.75
1.76
1.77
1.78
1.78.1

1118.*

1118.vba21ca2e3286

1125.*

1125.v132f99385e1b_

1131.*

1131.v8b_b_5eda_c328e

1138.*

1138.v8e727069a_025

1140.*

1140.vf967fb_efa_55a_

1145.*

1145.vb_cf6cf6ed960
1145.1148.vf6d17a_a_a_eef6

1146.*

1146.vdf547f19a_473

1158.*

1158.v7c1b_73a_69a_08

1172.*

1172.v35f6a_0b_8207e

1175.*

1175.v4b_d517d6db_f0
1175.1177.vda_175b_77d144
1175.1179.vea_f7532629e1
1175.1180.v36a_3fb_2dec9c

1183.*

1183.v774b_0b_0a_a_451

Database specific

{
    "last_known_affected_version_range": "< 1184.v85d16b"
}

Maven / org.jenkins-ci.plugins.workflow:workflow-cps

Package

Name
org.jenkins-ci.plugins.workflow:workflow-cps
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2803.v1a_f77ffcc773

Affected versions

0.*

0.1-beta-1
0.1-beta-2
0.1-beta-3
0.1-beta-4
0.1-beta-5
0.1-beta-6
0.1-beta-7
0.1-beta-8

1.*

1.0-beta-1
1.0
1.1
1.2
1.3
1.4
1.4.1
1.4.2
1.4.3-beta-1
1.4.3
1.5
1.6-alpha-1
1.6
1.7-alpha-1
1.7
1.8
1.9-beta-1
1.9
1.10-beta-1
1.10
1.10.1
1.11-beta-1
1.11-beta-2
1.11-beta-3
1.11-beta-4
1.11
1.12-beta-1
1.12-beta-2
1.12-beta-3
1.12
1.13
1.14-beta-1
1.14
1.14.1-beta-1
1.14.1
1.14.2
1.15-beta-1
1.15

2.*

2.0
2.1
2.2
2.3
2.4
2.5
2.6
2.7
2.8
2.9
2.10
2.11
2.12
2.13
2.14
2.15
2.16
2.17
2.18
2.19
2.20
2.21
2.22
2.23
2.24
2.25
2.26
2.27
2.28
2.29
2.30
2.30-stepstorage2-alpha
2.30-stepstorage2-alpha2
2.30-stepstorage4-beta
2.31
2.32
2.33
2.34
2.35
2.36
2.36.1
2.37
2.38
2.39
2.40
2.41
2.42
2.43
2.43-durability-beta-1
2.43-durability-beta-2
2.43-durability-beta-3
2.43-durability-beta-4
2.44
2.45
2.46
2.46.1
2.46.2
2.47
2.48
2.49
2.50
2.51
2.52
2.53
2.54
2.54.1
2.54.2
2.55
2.56
2.57
2.57.1
2.57.2
2.57.3
2.58-beta-1
2.58
2.59
2.60
2.61
2.61.1
2.61.2
2.61.3
2.62
2.63
2.64
2.65
2.66
2.66.1
2.67
2.68
2.69
2.70
2.71
2.72
2.73
2.74
2.74.1
2.75
2.76
2.77
2.78
2.79
2.80
2.81
2.82
2.83
2.84
2.85
2.86
2.87
2.88
2.89
2.90
2.91
2.92
2.92.1
2.93
2.94
2.94.1
2.94.4

2633.*

2633.v6baeedc13805

2640.*

2640.v00e79c8113de

2644.*

2644.v29a793dac95a

2646.*

2646.v6ed3b5b01ff1

2648.*

2648.va9433432b33c
2648.2651.v230593e03e9f

2656.*

2656.vf7a_e7b_75a_457

2659.*

2659.v52d3de6044d0

2660.*

2660.vb_c0412dc4e6d
2660.2664.v4c114e93f4c1

2680.*

2680.vf642ed4fa_d55

2682.*

2682.va_473dcddc941

2683.*

2683.vd0a_8f6a_1c263
2683.2687.vb_0cc3f973f06

2686.*

2686.v7c37e0578401

2687.*

2687.v3f09155513c1

2688.*

2688.v39a_b_e5c49a_65

2689.*

2689.v434009a_31b_f1

2692.*

2692.v76b_089ccd026

2705.*

2705.v0449852ee36f

2706.*

2706.v71dd22b_c5a_a_2

2710.*

2710.vcd48b_b_9e0e7d

2725.*

2725.v7b_c717eb_12ce

2729.*

2729.vea_17b_79ed57a_
2729.2732.vda_e3f07b_5a_f8

2746.*

2746.v0da_83a_332669
2746.2748.v365128b_c26d7

2759.*

2759.v87459c4eea_ca_
2759.2761.vd6e8d2a_15980

2784.*

2784.vd252824b_4eb_9

2801.*

2801.vf82a_b_b_e3e8a_5

2802.*

2802.v5ea_628154b_c2

Database specific

{
    "last_known_affected_version_range": "<= 2802.v5ea"
}