CVE-2022-43424

Опубликовано: 19 окт. 2022

Источник: nvd

CVSS3: 5.3

EPSS Низкий

Описание

Jenkins Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

Ссылки

http://www.openwall.com/lists/oss-security/2022/10/19/3
Mailing List
Third Party Advisory
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2627
Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/10/19/3
Mailing List
Third Party Advisory
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2627
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:jenkins:compuware_xpediter_code_coverage:*:*:*:*:*:jenkins:*:*

Версия до 1.0.8 (исключая)

Одно из

cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*

Версия до 2.303.2 (включая)

cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*

Версия до 2.318 (включая)

EPSS

Процентиль: 77%

0.01026

Низкий

5.3 Medium

CVSS3

Дефекты

NVD-CWE-noinfo

CWE-693

Связанные уязвимости

GHSA-mfcw-83qg-4vw3

CVSS3: 4.3

github

больше 3 лет назад

Agent-to-controller security bypass vulnerability in Jenkins Compuware Xpediter Code Coverage Plugin