Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps@2802.v5ea
purl pkg:maven/org.jenkins-ci.plugins.workflow/workflow-cps@2802.v5ea
Next non-vulnerable version 2803.v1a_f77ffcc773
Latest non-vulnerable version 3993.v3e20a
Risk 4.5
Vulnerabilities affecting this package (2)
Vulnerability Summary Fixed by
VCID-pnge-tumu-v7e2
Aliases:
CVE-2022-43404
GHSA-27rf-8mjp-r363
Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed. Multiple sandbox bypass vulnerabilities exist in Script Security Plugin and Pipeline: Groovy Plugin: - In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier and in Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier, various casts performed implicitly by the Groovy language runtime were not intercepted by the sandbox. This includes casts performed when returning values from methods, when assigning local variables, fields, properties, and when defining default arguments for closure, constructor, and method parameters (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin). - In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, when casting an array-like value to an array type, per-element casts to the component type of the array are not intercepted by the sandbox (CVE-2022-43403). - In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, crafted constructor bodies and calls to sandbox-generated synthetic constructors can be used to construct any subclassable type (due to an incomplete fix for SECURITY-1754 in the [2020-03-09 security advisory](https://www.jenkins.io/security/advisory/2020-03-09/#SECURITY-1754)) (CVE-2022-43404). These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. These vulnerabilities have been fixed: - Script Security Plugin 1184.v85d16b_d851b_3 and Pipeline: Groovy Plugin 2803.v1a_f77ffcc773 intercept Groovy casts performed implicitly by the Groovy language runtime (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin). - Script Security Plugin 1184.v85d16b_d851b_3 intercepts per-element casts when casting array-like values to array types (CVE-2022-43403). - Script Security Plugin 1184.v85d16b_d851b_3 rejects improper calls to sandbox-generated synthetic constructors (CVE-2022-43404). Both plugins, Script Security Plugin and Pipeline: Groovy Plugin must be updated simultaneously. While Script Security Plugin could be updated independently, doing so would cause errors in Pipeline: Groovy Plugin due to an incompatible API change.
2803.v1a_f77ffcc773
Affected by 0 other vulnerabilities.
VCID-tx8n-nmhx-gqg1
Aliases:
CVE-2022-43401
GHSA-7vr5-72w7-q6jc
Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed. Multiple sandbox bypass vulnerabilities exist in Script Security Plugin and Pipeline: Groovy Plugin: - In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier and in Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier, various casts performed implicitly by the Groovy language runtime were not intercepted by the sandbox. This includes casts performed when returning values from methods, when assigning local variables, fields, properties, and when defining default arguments for closure, constructor, and method parameters (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin). - In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, when casting an array-like value to an array type, per-element casts to the component type of the array are not intercepted by the sandbox (CVE-2022-43403). - In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, crafted constructor bodies and calls to sandbox-generated synthetic constructors can be used to construct any subclassable type (due to an incomplete fix for SECURITY-1754 in the [2020-03-09 security advisory](https://www.jenkins.io/security/advisory/2020-03-09/#SECURITY-1754)) (CVE-2022-43404). These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.\n\nThese vulnerabilities have been fixed: - Script Security Plugin 1184.v85d16b_d851b_3 and Pipeline: Groovy Plugin 2803.v1a_f77ffcc773 intercept Groovy casts performed implicitly by the Groovy language runtime (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin). - Script Security Plugin 1184.v85d16b_d851b_3 intercepts per-element casts when casting array-like values to array types (CVE-2022-43403). - Script Security Plugin 1184.v85d16b_d851b_3 rejects improper calls to sandbox-generated synthetic constructors (CVE-2022-43404). Both plugins, Script Security Plugin and Pipeline: Groovy Plugin must be updated simultaneously. While Script Security Plugin could be updated independently, doing so would cause errors in Pipeline: Groovy Plugin due to an incompatible API change.
2803.v1a_f77ffcc773
Affected by 0 other vulnerabilities.
Vulnerabilities fixed by this package (0)
Vulnerability Summary Aliases
This package is not known to fix vulnerabilities.

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-03T21:28:06.501519+00:00 GitLab Importer Affected by VCID-tx8n-nmhx-gqg1 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins.workflow/workflow-cps/CVE-2022-43401.yml 38.1.0
2026-04-03T21:28:06.179335+00:00 GitLab Importer Affected by VCID-pnge-tumu-v7e2 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/maven/org.jenkins-ci.plugins.workflow/workflow-cps/CVE-2022-43404.yml 38.1.0
2026-04-01T16:03:47.867644+00:00 GHSA Importer Affected by VCID-pnge-tumu-v7e2 https://github.com/advisories/GHSA-27rf-8mjp-r363 38.0.0
2026-04-01T16:03:47.839050+00:00 GHSA Importer Affected by VCID-tx8n-nmhx-gqg1 https://github.com/advisories/GHSA-7vr5-72w7-q6jc 38.0.0