#VU68598 Protection Mechanism Failure in Pipeline: Shared Groovy Libraries - CVE-2022-43405

Cybersecurity Help s.r.o.

Published: 2022-10-24

Vulnerability identifier: #VU68598

Vulnerability risk: Medium

CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Green]

CVE-ID: CVE-2022-43405

CWE-ID: CWE-693

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Pipeline: Shared Groovy Libraries
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. A remote user can bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Pipeline: Shared Groovy Libraries: 612.v84da_9c54906d

External links
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(2)
https://www.openwall.com/lists/oss-security/2022/10/19/3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Red Hat Product OCP Tools 4.12 update for Openshift Jenkins

OpenShift Developer Tools and Services for OCP 4.11 update for jenkins and jenkins-2-plugins

OpenShift Developer Tools and Services for OCP 4.12 update for Jenkins and Jenkins-2-plugins

Multiple vulnerabilities in OpenShift Container Platform 4.9

Multiple vulnerabilities in OpenShift Container Platform 4.10

Protection Mechanism Failure in Jenkins Pipeline: Groovy Libraries plugin