CVE-2022-43422

Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/10/19/3	Mailing List Third Party Advisory
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2620	Vendor Advisory
http://www.openwall.com/lists/oss-security/2022/10/19/3	Mailing List Third Party Advisory
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2620	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:jenkins:compuware_topaz_utilities:*:*:*:*:*:jenkins:*:*

OR	cpe:2.3:a:jenkins:jenkins:::::-:::*
	cpe:2.3:a:jenkins:jenkins:::::lts:::*

History

21 Nov 2024, 07:26

Type	Values Removed	Values Added
References	~~() http://www.openwall.com/lists/oss-security/2022/10/19/3 - Mailing List, Third Party Advisory~~	() http://www.openwall.com/lists/oss-security/2022/10/19/3 - Mailing List, Third Party Advisory
References	~~() https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2620 - Vendor Advisory~~	() https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2620 - Vendor Advisory

Information

Published : 2022-10-19 16:15

Updated : 2024-11-21 07:26

NVD link : CVE-2022-43422

Mitre link : CVE-2022-43422

CVE.ORG link : CVE-2022-43422

JSON object : View

Products Affected

jenkins

compuware_topaz_utilities
jenkins

CWE

NVD-CWE-noinfo

{"id": "CVE-2022-43422", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-10-19T16:15:11.333", "references": [{"url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2620", "tags": ["Vendor Advisory"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2620", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process."}, {"lang": "es", "value": "Jenkins Compuware Topaz Utilities Plugin versiones 1.0.8 y anteriores, implementan un mensaje de agent/controller que no limita d\u00f3nde puede ser ejecutado, permitiendo a atacantes capaces de controlar los procesos del agente obtener los valores de las propiedades del sistema Java del proceso controlador de Jenkins"}], "lastModified": "2024-11-21T07:26:27.180", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:compuware_topaz_utilities:*:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "036F1419-2CD5-4D4A-BCF9-2D579DC0E661", "versionEndExcluding": "1.0.9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "vulnerable": false, "matchCriteriaId": "7ED488A9-B9FF-4539-A7B5-ADC4D314039F", "versionEndIncluding": "2.138"}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "vulnerable": false, "matchCriteriaId": "988C6F39-A7CD-4CF3-8E38-A0179F078528", "versionEndIncluding": "2.303.2"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com"}