CVE-2022-43428 — Agent-to-controller security bypass vulnerabilities in Jenkins Compuware Topaz f

Description

Jenkins Compuware Topaz for Total Test Plugin 2.4.8 and earlier implements an agent/controller message that does not limit where it can be executed, allowing attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. These vulnerabilities are only exploitable in Jenkins 2.318 and earlier, LTS 2.303.2 and earlier. See the [LTS upgrade guide](https://www.jenkins.io/doc/upgrade-guide/2.303/#upgrading-to-jenkins-lts-2-303-3).

How to fix CVE-2022-43428

To remediate CVE-2022-43428, upgrade the affected package to a fixed version below.

—upgrade to 2.4.9 or later

Is CVE-2022-43428 being exploited?

Low — EPSS is 1.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.4.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-43428
PATCHgithub.com/jenkinsci/compuware-topaz-for-total-test-plugin
WEBgithub.com/jenkinsci/compuware-topaz-for-total-test-plugin/commit/5fca6eb21599f8f27323dfa17a6e44f8176ca551
WEBwww.jenkins.io/security/advisory/2022-10-19/#SECURITY-2624