Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/51687?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/51687?format=api", "vulnerability_id": "VCID-tx8n-nmhx-gqg1", "summary": "Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin\nScript Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed.\n\nMultiple sandbox bypass vulnerabilities exist in Script Security Plugin and Pipeline: Groovy Plugin:\n\n- In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier and in Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier, various casts performed implicitly by the Groovy language runtime were not intercepted by the sandbox. This includes casts performed when returning values from methods, when assigning local variables, fields, properties, and when defining default arguments for closure, constructor, and method parameters (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).\n- In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, when casting an array-like value to an array type, per-element casts to the component type of the array are not intercepted by the sandbox (CVE-2022-43403).\n- In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, crafted constructor bodies and calls to sandbox-generated synthetic constructors can be used to construct any subclassable type (due to an incomplete fix for SECURITY-1754 in the [2020-03-09 security advisory](https://www.jenkins.io/security/advisory/2020-03-09/#SECURITY-1754)) (CVE-2022-43404).\n\nThese vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.\\n\\nThese vulnerabilities have been fixed:\n\n- Script Security Plugin 1184.v85d16b_d851b_3 and Pipeline: Groovy Plugin 2803.v1a_f77ffcc773 intercept Groovy casts performed implicitly by the Groovy language runtime (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin).\n- Script Security Plugin 1184.v85d16b_d851b_3 intercepts per-element casts when casting array-like values to array types (CVE-2022-43403).\n- Script Security Plugin 1184.v85d16b_d851b_3 rejects improper calls to sandbox-generated synthetic constructors (CVE-2022-43404).\n\nBoth plugins, Script Security Plugin and Pipeline: Groovy Plugin must be updated simultaneously. While Script Security Plugin could be updated independently, doing so would cause errors in Pipeline: Groovy Plugin due to an incompatible API change.", "aliases": [ { "alias": "CVE-2022-43401" }, { "alias": "GHSA-7vr5-72w7-q6jc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/79376?format=api", "purl": "pkg:maven/org.jenkins-ci.plugins/script-security@1184.v85d16b_d851b_3", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/script-security@1184.v85d16b_d851b_3" }, { "url": "http://public2.vulnerablecode.io/api/packages/79377?format=api", "purl": "pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps@2803.v1a_f77ffcc773", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps@2803.v1a_f77ffcc773" } ], "affected_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/993994?format=api", "purl": "pkg:maven/org.jenkins-ci.plugins/script-security@1183.v774b_0b_0a_a_451", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-n5vc-ggjg-kfc1" }, { "vulnerability": "VCID-pnge-tumu-v7e2" }, { "vulnerability": "VCID-tx8n-nmhx-gqg1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins/script-security@1183.v774b_0b_0a_a_451" }, { "url": "http://public2.vulnerablecode.io/api/packages/144667?format=api", "purl": "pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps@2802.v5ea", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-pnge-tumu-v7e2" }, { "vulnerability": "VCID-tx8n-nmhx-gqg1" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps@2802.v5ea" }, { "url": "http://public2.vulnerablecode.io/api/packages/97536?format=api", "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.9.1675668922-1?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13zs-2sn8-3yey" }, { "vulnerability": "VCID-1tha-u7dt-tfc9" }, { "vulnerability": "VCID-2zhb-qfhq-xkdp" }, { "vulnerability": "VCID-4qvq-xv22-xbed" }, { "vulnerability": "VCID-5jjh-qcnz-mye7" }, { "vulnerability": "VCID-73th-g3mx-dqf1" }, { "vulnerability": "VCID-892e-957y-4yc8" }, { "vulnerability": "VCID-9h4k-xjx5-afc8" }, { "vulnerability": "VCID-atqg-nfz6-zyfs" }, { "vulnerability": "VCID-ca7m-fb38-kfe2" }, { "vulnerability": "VCID-dmkc-42vj-gbhc" }, { "vulnerability": "VCID-fzvq-dpvh-v7eu" }, { "vulnerability": "VCID-gxu6-51zm-sfh7" }, { "vulnerability": "VCID-mm3e-4pej-byed" }, { "vulnerability": "VCID-n5vc-ggjg-kfc1" }, { "vulnerability": "VCID-netd-rr9e-wbg5" }, { "vulnerability": "VCID-pnge-tumu-v7e2" }, { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-rs56-6qvx-vucg" }, { "vulnerability": "VCID-rxtr-936k-h3cc" }, { "vulnerability": "VCID-s839-rpta-6bej" }, { "vulnerability": "VCID-tx8n-nmhx-gqg1" }, { "vulnerability": "VCID-ubq1-gzr6-x3fu" }, { "vulnerability": "VCID-xq5k-dyk9-u3ct" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.9.1675668922-1%3Farch=el8" }, { "url": "http://public2.vulnerablecode.io/api/packages/97535?format=api", "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.10.1675144701-1?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-13zs-2sn8-3yey" }, { "vulnerability": "VCID-1tha-u7dt-tfc9" }, { "vulnerability": "VCID-2zhb-qfhq-xkdp" }, { "vulnerability": "VCID-4qvq-xv22-xbed" }, { "vulnerability": "VCID-5jjh-qcnz-mye7" }, { "vulnerability": "VCID-73th-g3mx-dqf1" }, { "vulnerability": "VCID-892e-957y-4yc8" }, { "vulnerability": "VCID-9h4k-xjx5-afc8" }, { "vulnerability": "VCID-atqg-nfz6-zyfs" }, { "vulnerability": "VCID-ca7m-fb38-kfe2" }, { "vulnerability": "VCID-fzvq-dpvh-v7eu" }, { "vulnerability": "VCID-gxu6-51zm-sfh7" }, { "vulnerability": "VCID-mm3e-4pej-byed" }, { "vulnerability": "VCID-n5vc-ggjg-kfc1" }, { "vulnerability": "VCID-netd-rr9e-wbg5" }, { "vulnerability": "VCID-pnge-tumu-v7e2" }, { "vulnerability": "VCID-pwtj-az3g-zka3" }, { "vulnerability": "VCID-rs56-6qvx-vucg" }, { "vulnerability": "VCID-rxtr-936k-h3cc" }, { "vulnerability": "VCID-s839-rpta-6bej" }, { "vulnerability": "VCID-tx8n-nmhx-gqg1" }, { "vulnerability": "VCID-ubq1-gzr6-x3fu" }, { "vulnerability": "VCID-xq5k-dyk9-u3ct" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.10.1675144701-1%3Farch=el8" }, { "url": "http://public2.vulnerablecode.io/api/packages/97035?format=api", "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.11.1683009941-1?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1tha-u7dt-tfc9" }, { "vulnerability": "VCID-2zhb-qfhq-xkdp" }, { "vulnerability": "VCID-4qvq-xv22-xbed" }, { "vulnerability": "VCID-5bu5-5b6n-nuft" }, { "vulnerability": "VCID-73th-g3mx-dqf1" }, { "vulnerability": "VCID-atqg-nfz6-zyfs" }, { "vulnerability": "VCID-dmkc-42vj-gbhc" }, { "vulnerability": "VCID-j584-bgww-z7fw" }, { "vulnerability": "VCID-j986-mtma-b3bw" }, { "vulnerability": "VCID-m3g5-ua28-afd2" }, { "vulnerability": "VCID-mm3e-4pej-byed" }, { "vulnerability": "VCID-n5vc-ggjg-kfc1" }, { "vulnerability": "VCID-netd-rr9e-wbg5" }, { "vulnerability": "VCID-pnge-tumu-v7e2" }, { "vulnerability": "VCID-quvj-3tpk-qug1" }, { "vulnerability": "VCID-rxtr-936k-h3cc" }, { "vulnerability": "VCID-s839-rpta-6bej" }, { "vulnerability": "VCID-tx8n-nmhx-gqg1" }, { "vulnerability": "VCID-xq5k-dyk9-u3ct" }, { "vulnerability": "VCID-zxcj-h6nx-m7gq" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.11.1683009941-1%3Farch=el8" }, { "url": "http://public2.vulnerablecode.io/api/packages/97533?format=api", "purl": "pkg:rpm/redhat/jenkins-2-plugins@4.12.1675702407-1?arch=el8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1pzb-gkrf-m3hq" }, { "vulnerability": "VCID-1tha-u7dt-tfc9" }, { "vulnerability": "VCID-2zhb-qfhq-xkdp" }, { "vulnerability": "VCID-73th-g3mx-dqf1" }, { "vulnerability": "VCID-9h46-72hw-bkcr" }, { "vulnerability": "VCID-atqg-nfz6-zyfs" }, { "vulnerability": "VCID-k6wy-rwhv-ckd2" }, { "vulnerability": "VCID-n5vc-ggjg-kfc1" }, { "vulnerability": "VCID-netd-rr9e-wbg5" }, { "vulnerability": "VCID-pnge-tumu-v7e2" }, { "vulnerability": "VCID-rs56-6qvx-vucg" }, { "vulnerability": "VCID-rxtr-936k-h3cc" }, { "vulnerability": "VCID-s839-rpta-6bej" }, { "vulnerability": "VCID-tx8n-nmhx-gqg1" }, { "vulnerability": "VCID-v2pq-1qhm-4qb9" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/jenkins-2-plugins@4.12.1675702407-1%3Farch=el8" } ], "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43401.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-43401.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43401", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40168", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40152", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40178", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.401", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40165", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40175", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40137", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00184", "scoring_system": "epss", "scoring_elements": "0.40118", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-43401" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-43401" }, { "reference_url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)" }, { "reference_url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "http://www.openwall.com/lists/oss-security/2022/10/19/3" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381", "reference_id": "2136381", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2136381" }, { "reference_url": "https://github.com/advisories/GHSA-7vr5-72w7-q6jc", "reference_id": "GHSA-7vr5-72w7-q6jc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7vr5-72w7-q6jc" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0560", "reference_id": "RHSA-2023:0560", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0560" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:0777", "reference_id": "RHSA-2023:0777", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:0777" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1064", "reference_id": "RHSA-2023:1064", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1064" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3198", "reference_id": "RHSA-2023:3198", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3198" } ], "weaknesses": [ { "cwe_id": 693, "name": "Protection Mechanism Failure", "description": "The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." }, { "cwe_id": 78, "name": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "description": "The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." } ], "exploits": [], "severity_range_score": "7.0 - 9.9", "exploitability": "0.5", "weighted_severity": "8.9", "risk_score": 4.5, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tx8n-nmhx-gqg1" }