CVE-2022-43428 – com.compuware.jenkins:compuware-topaz-for-total-test

Package

Manager: maven
Name: com.compuware.jenkins:compuware-topaz-for-total-test
Vulnerable Version: >=0 <2.4.9

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00274 pctl0.50471

Details

Agent-to-controller security bypass vulnerabilities in Jenkins Compuware Topaz for Total Test Plugin Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. These vulnerabilities are only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the [LTS upgrade guide](https://www.jenkins.io/doc/upgrade-guide/2.303/#upgrading-to-jenkins-lts-2-303-3).

Metadata

Created: 2022-10-19T19:00:22Z
Modified: 2022-12-16T19:55:09Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-xp3r-9wx8-q2mm/GHSA-xp3r-9wx8-q2mm.json
CWE IDs: ["CWE-610", "CWE-693"]
Alternative ID: GHSA-xp3r-9wx8-q2mm
Finding: F115
Auto approve: 1