CVE-2022-43422

Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
http://www.openwall.com/lists/oss-security/2022/10/19/3	Mailing List Third Party Advisory
https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2620	Vendor Advisory

Configurations

Configuration 1 (hide)

AND

cpe:2.3:a:jenkins:compuware_topaz_utilities:*:*:*:*:*:jenkins:*:*

OR	cpe:2.3:a:jenkins:jenkins:::::-:::*
	cpe:2.3:a:jenkins:jenkins:::::lts:::*

History

No history.

Information

Published : 2022-10-19 16:15

Updated : 2023-11-22 04:22

NVD link : CVE-2022-43422

Mitre link : CVE-2022-43422

CVE.ORG link : CVE-2022-43422

JSON object : View

Products Affected

jenkins

jenkins
compuware_topaz_utilities

CWE

NVD-CWE-noinfo

{"id": "CVE-2022-43422", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 3.9}]}, "published": "2022-10-19T16:15:11.333", "references": [{"url": "http://www.openwall.com/lists/oss-security/2022/10/19/3", "tags": ["Mailing List", "Third Party Advisory"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2620", "tags": ["Vendor Advisory"], "source": "jenkinsci-cert@googlegroups.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Compuware Topaz Utilities Plugin 1.0.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process."}, {"lang": "es", "value": "Jenkins Compuware Topaz Utilities Plugin versiones 1.0.8 y anteriores, implementan un mensaje de agent/controller que no limita d\u00f3nde puede ser ejecutado, permitiendo a atacantes capaces de controlar los procesos del agente obtener los valores de las propiedades del sistema Java del proceso controlador de Jenkins"}], "lastModified": "2023-11-22T04:22:44.253", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:compuware_topaz_utilities:*:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "036F1419-2CD5-4D4A-BCF9-2D579DC0E661", "versionEndExcluding": "1.0.9"}], "operator": "OR"}, {"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "vulnerable": false, "matchCriteriaId": "7ED488A9-B9FF-4539-A7B5-ADC4D314039F", "versionEndIncluding": "2.138"}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "vulnerable": false, "matchCriteriaId": "988C6F39-A7CD-4CF3-8E38-A0179F078528", "versionEndIncluding": "2.303.2"}], "operator": "OR"}], "operator": "AND"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com"}