CVE-2022-43403: 
Java vulnerability analysis and mitigation

A sandbox bypass vulnerability was discovered in Jenkins Script Security Plugin version 1183.v774b0b0aa451 and earlier. The vulnerability (CVE-2022-43403) was disclosed on October 19, 2022 and affects the Script Security Plugin's sandbox feature, which is designed to allow low-privileged users to safely execute scripts including Pipelines (Jenkins Advisory, OSS Security).

The vulnerability occurs when casting an array-like value to an array type, where per-element casts to the component type of the array are not intercepted by the sandbox. This implementation flaw in the sandbox protection mechanism allows attackers to bypass the intended security controls (Jenkins Advisory). The vulnerability has been assigned a CVSS v3.1 base score of 9.9 CRITICAL with vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

This vulnerability allows attackers with permission to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM (Jenkins Advisory, OSS Security).

The vulnerability has been fixed in Script Security Plugin version 1184.v85d16bd851b3, which intercepts per-element casts when casting array-like values to array types. Users are advised to update to this version or later. Both Script Security Plugin and Pipeline: Groovy Plugin must be updated simultaneously, as updating Script Security Plugin alone would cause errors in Pipeline: Groovy Plugin due to an incompatible API change (Jenkins Advisory).