Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:maven/org.jenkins-ci.plugins/script-security@1184.v85d16b_d851b_3
purl pkg:maven/org.jenkins-ci.plugins/script-security@1184.v85d16b_d851b_3
Vulnerabilities affecting this package (0)
Vulnerability Summary Fixed by
This package is not known to be affected by vulnerabilities.
Vulnerabilities fixed by this package (3)
Vulnerability Summary Aliases
VCID-n5vc-ggjg-kfc1 Jenkins Script Security Plugin sandbox bypass vulnerability A sandbox bypass vulnerability involving casting an array-like value to an array type in Jenkins Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. Script Security Plugin 1184.v85d16b_d851b_3 intercepts per-element casts when casting array-like values to array types. CVE-2022-43403
GHSA-f6mq-6fx5-w2ch
VCID-pnge-tumu-v7e2 Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed. Multiple sandbox bypass vulnerabilities exist in Script Security Plugin and Pipeline: Groovy Plugin: - In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier and in Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier, various casts performed implicitly by the Groovy language runtime were not intercepted by the sandbox. This includes casts performed when returning values from methods, when assigning local variables, fields, properties, and when defining default arguments for closure, constructor, and method parameters (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin). - In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, when casting an array-like value to an array type, per-element casts to the component type of the array are not intercepted by the sandbox (CVE-2022-43403). - In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, crafted constructor bodies and calls to sandbox-generated synthetic constructors can be used to construct any subclassable type (due to an incomplete fix for SECURITY-1754 in the [2020-03-09 security advisory](https://www.jenkins.io/security/advisory/2020-03-09/#SECURITY-1754)) (CVE-2022-43404). These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM. These vulnerabilities have been fixed: - Script Security Plugin 1184.v85d16b_d851b_3 and Pipeline: Groovy Plugin 2803.v1a_f77ffcc773 intercept Groovy casts performed implicitly by the Groovy language runtime (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin). - Script Security Plugin 1184.v85d16b_d851b_3 intercepts per-element casts when casting array-like values to array types (CVE-2022-43403). - Script Security Plugin 1184.v85d16b_d851b_3 rejects improper calls to sandbox-generated synthetic constructors (CVE-2022-43404). Both plugins, Script Security Plugin and Pipeline: Groovy Plugin must be updated simultaneously. While Script Security Plugin could be updated independently, doing so would cause errors in Pipeline: Groovy Plugin due to an incompatible API change. CVE-2022-43404
GHSA-27rf-8mjp-r363
VCID-tx8n-nmhx-gqg1 Sandbox bypass vulnerabilities in Jenkins Script Security Plugin and in Pipeline: Groovy Plugin Script Security Plugin provides a sandbox feature that allows low privileged users to define scripts, including Pipelines, that are generally safe to execute. Calls to code defined inside a sandboxed script are intercepted, and various allowlists are checked to determine whether the call is to be allowed. Multiple sandbox bypass vulnerabilities exist in Script Security Plugin and Pipeline: Groovy Plugin: - In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier and in Pipeline: Groovy Plugin 2802.v5ea_628154b_c2 and earlier, various casts performed implicitly by the Groovy language runtime were not intercepted by the sandbox. This includes casts performed when returning values from methods, when assigning local variables, fields, properties, and when defining default arguments for closure, constructor, and method parameters (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin). - In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, when casting an array-like value to an array type, per-element casts to the component type of the array are not intercepted by the sandbox (CVE-2022-43403). - In Script Security Plugin 1183.v774b_0b_0a_a_451 and earlier, crafted constructor bodies and calls to sandbox-generated synthetic constructors can be used to construct any subclassable type (due to an incomplete fix for SECURITY-1754 in the [2020-03-09 security advisory](https://www.jenkins.io/security/advisory/2020-03-09/#SECURITY-1754)) (CVE-2022-43404). These vulnerabilities allow attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.\n\nThese vulnerabilities have been fixed: - Script Security Plugin 1184.v85d16b_d851b_3 and Pipeline: Groovy Plugin 2803.v1a_f77ffcc773 intercept Groovy casts performed implicitly by the Groovy language runtime (CVE-2022-43401 in Script Security Plugin and CVE-2022-43402 in Pipeline: Groovy Plugin). - Script Security Plugin 1184.v85d16b_d851b_3 intercepts per-element casts when casting array-like values to array types (CVE-2022-43403). - Script Security Plugin 1184.v85d16b_d851b_3 rejects improper calls to sandbox-generated synthetic constructors (CVE-2022-43404). Both plugins, Script Security Plugin and Pipeline: Groovy Plugin must be updated simultaneously. While Script Security Plugin could be updated independently, doing so would cause errors in Pipeline: Groovy Plugin due to an incompatible API change. CVE-2022-43401
GHSA-7vr5-72w7-q6jc

Date Actor Action Vulnerability Source VulnerableCode Version
2026-04-01T16:03:47.785577+00:00 GHSA Importer Fixing VCID-n5vc-ggjg-kfc1 https://github.com/advisories/GHSA-f6mq-6fx5-w2ch 38.0.0
2026-04-01T16:03:47.702765+00:00 GHSA Importer Fixing VCID-pnge-tumu-v7e2 https://github.com/advisories/GHSA-27rf-8mjp-r363 38.0.0
2026-04-01T16:03:47.649332+00:00 GHSA Importer Fixing VCID-tx8n-nmhx-gqg1 https://github.com/advisories/GHSA-7vr5-72w7-q6jc 38.0.0
2026-04-01T13:04:58.990415+00:00 GithubOSV Importer Fixing VCID-pnge-tumu-v7e2 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-27rf-8mjp-r363/GHSA-27rf-8mjp-r363.json 38.0.0
2026-04-01T13:04:57.837387+00:00 GithubOSV Importer Fixing VCID-n5vc-ggjg-kfc1 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-f6mq-6fx5-w2ch/GHSA-f6mq-6fx5-w2ch.json 38.0.0
2026-04-01T13:04:47.943153+00:00 GithubOSV Importer Fixing VCID-tx8n-nmhx-gqg1 https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-7vr5-72w7-q6jc/GHSA-7vr5-72w7-q6jc.json 38.0.0