CVE-2022-43405: 
Java vulnerability analysis and mitigation

A sandbox bypass vulnerability was discovered in Jenkins Pipeline: Groovy Libraries Plugin version 612.v84da_9c54906d and earlier, identified as CVE-2022-43405. The vulnerability was disclosed on October 19, 2022, affecting the Jenkins Pipeline: Groovy Libraries Plugin, which allows Pipeline authors to dynamically load Pipeline libraries (Jenkins Advisory, NVD).

The vulnerability exists in the library Pipeline step functionality, which allows Pipeline authors to dynamically load Pipeline libraries. The issue arises when the library step can be used to invoke sandbox-generated synthetic constructors in crafted untrusted libraries and construct any subclassable type. This vulnerability is similar to a previous security issue (SECURITY-582) reported in the 2017-08-07 security advisory, but affects a different plugin. The vulnerability has been assigned a CVSS v3.1 base score of 9.9 (Critical) with the vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (NVD).

This vulnerability allows attackers with permission to define untrusted Pipeline libraries and to define and run sandboxed scripts, including Pipelines, to bypass the sandbox protection and execute arbitrary code in the context of the Jenkins controller JVM (Jenkins Advisory).

The vulnerability has been fixed in Pipeline: Groovy Libraries Plugin version 613.v9c41a_160233f, which rejects improper calls to sandbox-generated synthetic constructors when using the library step. Organizations should upgrade to this version or later to protect against this vulnerability (Jenkins Advisory).