Protection Mechanism Failure in Script Security

#VU68597 Protection Mechanism Failure in Script Security

Published: 2022-10-24

Vulnerability identifier: #VU68597

Vulnerability risk: Medium

CVSSv3.1: 8.6 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2022-43403

CWE-ID: CWE-693

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Script Security
Web applications / Modules and components for CMS

Vendor: Jenkins

Description

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient implementation of security measures. A remote user can bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Script Security: 1183.v774b_0b_0a_a_451

External links
http://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2824%20(1)
http://www.openwall.com/lists/oss-security/2022/10/19/3

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenShift Developer Tools and Services for OCP 4.11 update for jenkins and jenkins-2-plugins

OpenShift Developer Tools and Services for OCP 4.12 update for Jenkins and Jenkins-2-plugins

Multiple vulnerabilities in OpenShift Container Platform 4.9

Multiple vulnerabilities in OpenShift Container Platform 4.10

Multiple vulnerabilities in Oracle Communications Cloud Native Core Unified Data Repository

Multiple vulnerabilities in Jenkins Script Security plugin