CVE-2022-43424
First published: Wed Oct 19 2022(Updated: )
Compuware Xpediter Code Coverage Plugin 1.0.7 and earlier implements an agent/controller message that does not limit where it can be executed. It allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. This vulnerability is only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the [LTS upgrade guide](https://www.jenkins.io/doc/upgrade-guide/2.303/#upgrading-to-jenkins-lts-2-303-3). Compuware Xpediter Code Coverage Plugin 1.0.8 restricts execution of the agent/controller message to agents.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Compuware Xpediter Code | <=1.0.7 | |
| Jenkins Jenkins | <=2.303.2 | |
| Jenkins Jenkins | <=2.318 | |
| Jenkins Compuware Xpediter Code Coverage | <1.0.8 | |
| maven/com.compuware.jenkins:compuware-xpediter-code-coverage | <1.0.8 | 1.0.8 |
| All of | ||
| Jenkins Compuware Xpediter Code Coverage | <1.0.8 | |
| Any of | ||
| Jenkins Jenkins | <=2.303.2 | |
| Jenkins Jenkins | <=2.318 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2022-43424
- https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2627
- http://www.openwall.com/lists/oss-security/2022/10/19/3
- https://github.com/jenkinsci/compuware-xpediter-code-coverage-plugin/commit/e506fc9e77a2609f6a5aa331e052d35be652071c
- https://github.com/advisories/GHSA-mfcw-83qg-4vw3 (Advisory)
Frequently Asked Questions
What is the vulnerability ID for the Jenkins Compuware Xpediter Code Coverage Plugin?
The vulnerability ID is CVE-2022-43424.
What is the severity level of CVE-2022-43424?
The severity level is medium with a CVSS score of 5.3.
What is the affected software for CVE-2022-43424?
The affected software is Jenkins Compuware Xpediter Code Coverage Plugin version 1.0.7 and earlier.
Are the LTS versions of Jenkins vulnerable to CVE-2022-43424?
No, the LTS versions of Jenkins are not vulnerable to CVE-2022-43424.
How can an attacker exploit CVE-2022-43424?
An attacker who can control agent processes can exploit CVE-2022-43424 to obtain the values of Java system properties from the Jenkins controller process.
- agent/author
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/type
- agent/weakness
- collector/github-advisory
- source/GitHub
- alias/GHSA-mfcw-83qg-4vw3
- alias/CVE-2022-43424
- agent/software-canonical-lookup
- collector/github-advisory-latest
- collector/nvd-api
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- package-manager/maven
- vendor/jenkins
- canonical/jenkins compuware xpediter code coverage
- canonical/jenkins jenkins
- version/jenkins jenkins/2.303.2
- version/jenkins jenkins/2.318
- canonical/jenkins compuware xpediter code
- version/jenkins compuware xpediter code/1.0.7