CVE-2022-43428

Опубликовано: 19 окт. 2022

Источник: nvd

CVSS3: 5.3

EPSS Низкий

Описание

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

Ссылки

http://www.openwall.com/lists/oss-security/2022/10/19/3
Mailing List
Third Party Advisory
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2624
Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/10/19/3
Mailing List
Third Party Advisory
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2624
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одновременно

cpe:2.3:a:jenkins:compuware_topaz_for_total_test:*:*:*:*:*:jenkins:*:*

Версия до 2.4.8 (включая)

Одно из

cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*

Версия до 2.303.2 (включая)

cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*

Версия до 2.318 (включая)

EPSS

Процентиль: 77%

0.01026

Низкий

5.3 Medium

CVSS3

Дефекты

NVD-CWE-noinfo

CWE-610

Связанные уязвимости

GHSA-xp3r-9wx8-q2mm

CVSS3: 7.5

github

больше 3 лет назад

Agent-to-controller security bypass vulnerabilities in Jenkins Compuware Topaz for Total Test Plugin