CVE-2022-43423
First published: Wed Oct 19 2022(Updated: )
BMC Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.12 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the [LTS upgrade guide](https://www.jenkins.io/doc/upgrade-guide/2.303/#upgrading-to-jenkins-lts-2-303-3). BMC Compuware Source Code Download for Endevor, PDS, and ISPW Plugin 2.0.13 restricts execution of the agent/controller message to agents.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Compuware Source Code Download For Endevor\, Pds\, And Ispw | <2.0.13 | |
| Jenkins Jenkins | <=2.303.2 | |
| Jenkins Jenkins | <=2.318 | |
| All of | ||
| <2.0.13 | ||
| Any of | ||
| <=2.303.2 | ||
| <=2.318 | ||
| maven/com.compuware.jenkins:compuware-scm-downloader | <2.0.13 | 2.0.13 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-43423
- https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2622
- http://www.openwall.com/lists/oss-security/2022/10/19/3
- https://github.com/jenkinsci/compuware-scm-downloader-plugin/commit/115f057078baad506e2b34b74f4f0600f81990b3
- https://github.com/advisories/GHSA-682j-2p53-xp5f (Advisory)
Frequently Asked Questions
What is the vulnerability ID of this Jenkins vulnerability?
The vulnerability ID of this Jenkins vulnerability is CVE-2022-43423.
What is the severity of CVE-2022-43423?
The severity of CVE-2022-43423 is medium with a CVSS score of 5.3.
What is the affected software of CVE-2022-43423?
The affected software of CVE-2022-43423 is Jenkins Compuware Source Code Download for Endevor, PDS, and ISPW Plugin version 2.0.12 and earlier.
How can attackers exploit CVE-2022-43423?
Attackers able to control agent processes can exploit CVE-2022-43423 to obtain the values of Java system properties from the Jenkins controller.
Are the Jenkins LTS versions vulnerable to CVE-2022-43423?
No, the Jenkins LTS versions are not vulnerable to CVE-2022-43423.
- collector/nvd-index
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-682j-2p53-xp5f
- alias/CVE-2022-43423
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- agent/softwarecombine
- agent/severity
- agent/references
- agent/weakness
- agent/author
- collector/github-advisory
- source/GitHub
- agent/software-canonical-lookup
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/event
- agent/description
- collector/mitre-cve
- source/MITRE
- vendor/jenkins
- canonical/jenkins compuware source code download for endevor\, pds\, and ispw
- canonical/jenkins jenkins
- version/jenkins jenkins/2.303.2
- version/jenkins jenkins/2.318
- package-manager/maven