CVE-2022-43416

Description

Jenkins Katalon Plugin 1.0.32 and earlier implements an agent/controller message that does not limit where it can be executed and allows invoking Katalon with configurable arguments. It allows attackers able to control agent processes to invoke Katalon on the Jenkins controller with attacker-controlled version, install location, and arguments. Attackers additionally able to create files on the Jenkins controller (e.g., attackers with Item/Configure permission could archive artifacts) can invoke arbitrary OS commands. Katalon Plugin 1.0.33 changes the message type to controller-to-agent, preventing execution on the controller.

How to fix CVE-2022-43416

To remediate CVE-2022-43416, upgrade the affected package to a fixed version below.

• —upgrade to 1.0.33 or later

Is CVE-2022-43416 being exploited?

Low — EPSS is 2.7%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 1.0.33

CVSS scores

References (4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-43416
• WEBgithub.com/jenkinsci/katalon-plugin/commit/0ee4b34afdcba367b547aa0a706cb1c66ac9f45a
• WEBwww.jenkins.io/security/advisory/2022-10-19/#SECURITY-2844
• WEBwww.openwall.com/lists/oss-security/2022/10/19/3