CVE-2022-43430 — XXE vulnerability in Jenkins Compuware Topaz for Total Test Plugin

Description

Compuware Topaz for Total Test Plugin 2.4.8 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows attackers able to control the input files for the 'Topaz for Total Test - Execute Total Test scenarios' build step to have Jenkins parse a crafted XML document that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

How to fix CVE-2022-43430

To remediate CVE-2022-43430, upgrade the affected package to a fixed version below.

—upgrade to 2.4.9 or later

Is CVE-2022-43430 being exploited?

Low — EPSS is 4.4%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.4.9

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-43430
PATCHgithub.com/jenkinsci/compuware-topaz-for-total-test-plugin
WEBgithub.com/jenkinsci/compuware-topaz-for-total-test-plugin/commit/9ce24fb63fcdb94290340d2ec53f478635c416ab
WEBwww.jenkins.io/security/advisory/2022-10-19/#SECURITY-2625