CVE-2022-43423

Опубликовано: 19 окт. 2022

Источник: nvd

CVSS3: 5.3

EPSS Низкий

Описание

Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

Ссылки

http://www.openwall.com/lists/oss-security/2022/10/19/3
Mailing List
Third Party Advisory
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2622
Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/10/19/3
Mailing List
Third Party Advisory
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2622
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:jenkins:compuware_source_code_download_for_endevor\,_pds\,_and_ispw:*:*:*:*:*:jenkins:*:*

Версия до 2.0.13 (исключая)

Одно из

cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*

Версия до 2.303.2 (включая)

cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*

Версия до 2.318 (включая)

EPSS

Процентиль: 77%

0.01026

Низкий

5.3 Medium

CVSS3

Дефекты

NVD-CWE-noinfo

CWE-610

Связанные уязвимости

GHSA-682j-2p53-xp5f

CVSS3: 4.3

github

больше 3 лет назад

Agent-to-controller security bypass vulnerability in Jenkins BMC Compuware Source Code Download for Endevor, PDS, and ISPW Plugin